Researchers recently reported that live chat widgets used by several high-profile sites were leaking personal details of company employees. What data was being leaked by these live chat widgets and how can attackers use that information to successfully attack an organization?
Software integration is an important element of enterprise systems. Because enterprises may have a mission-critical piece of software that is core to their business, they might want ancillary systems to integrate with it to ensure that certain data is maintained or that consistent information is used when interacting with customers. These integrations are usually custom-developed and, for the integration to function properly, they require information to be embedded into the configuration.
When these integrations are internal, the risk of mistakes or vulnerabilities can be reduced. However, when these integrations are external-facing on the internet, the risk is higher. This may be an issue for enterprises that want to integrate cloud services with other systems.
Project Insecurity researchers Cody Zacharias and Kane Gamble recently published an advisory about some information disclosure vulnerabilities they found in the LiveChat software. These vulnerabilities in the live chat widgets seem to integrate with their customer's internal systems that are exposed to the internet.
The vulnerability also appears to expose configuration information in the HTML code on the webpage of the company's internal customer support applications. While the information exposed varies from enterprise to enterprise, it may include private information, such as employee names and ID numbers.
The most sensitive piece of information found by the researchers was the name of an employee's supervisor. Even though this type of information may be in an org chart or employee directory, it could still be used for social engineering with any other information gathered using open source intelligence.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Application and platform security
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading