Researchers recently reported that live chat widgets used by several high-profile sites were leaking personal details of company employees. What data was being leaked by these live chat widgets and how can attackers use that information to successfully attack an organization?
Software integration is an important element of enterprise systems. Because enterprises may have a mission-critical piece of software that is core to their business, they might want ancillary systems to integrate with it to ensure that certain data is maintained or that consistent information is used when interacting with customers. These integrations are usually custom-developed and, for the integration to function properly, they require information to be embedded into the configuration.
When these integrations are internal, the risk of mistakes or vulnerabilities can be reduced. However, when these integrations are external-facing on the internet, the risk is higher. This may be an issue for enterprises that want to integrate cloud services with other systems.
Project Insecurity researchers Cody Zacharias and Kane Gamble recently published an advisory about some information disclosure vulnerabilities they found in the LiveChat software. These vulnerabilities in the live chat widgets seem to integrate with their customer's internal systems that are exposed to the internet.
The vulnerability also appears to expose configuration information in the HTML code on the webpage of the company's internal customer support applications. While the information exposed varies from enterprise to enterprise, it may include private information, such as employee names and ID numbers.
The most sensitive piece of information found by the researchers was the name of an employee's supervisor. Even though this type of information may be in an org chart or employee directory, it could still be used for social engineering with any other information gathered using open source intelligence.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Social media security risks
Related Q&A from Nick Lewis
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading
Cloud security providers need to play catch-up with the evolving advancements in cloud technology. Find out what the top CSPs offer today and which ... Continue Reading
Cloud security certifications serve to bolster security professionals' resumes and boost value to employers. Learn about the top certifications ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.