How can live chat widgets leak personal employee data?

Project Insecurity researchers found live chat software leaking personal employee data. Learn how attackers can use this leaked information and data to hurt organizations.

Researchers recently reported that live chat widgets used by several high-profile sites were leaking personal details of company employees. What data was being leaked by these live chat widgets and how can attackers use that information to successfully attack an organization?

Software integration is an important element of enterprise systems. Because enterprises may have a mission-critical piece of software that is core to their business, they might want ancillary systems to integrate with it to ensure that certain data is maintained or that consistent information is used when interacting with customers. These integrations are usually custom-developed and, for the integration to function properly, they require information to be embedded into the configuration.

When these integrations are internal, the risk of mistakes or vulnerabilities can be reduced. However, when these integrations are external-facing on the internet, the risk is higher. This may be an issue for enterprises that want to integrate cloud services with other systems.

Project Insecurity researchers Cody Zacharias and Kane Gamble recently published an advisory about some information disclosure vulnerabilities they found in the LiveChat software. These vulnerabilities in the live chat widgets seem to integrate with their customer's internal systems that are exposed to the internet.

The vulnerability also appears to expose configuration information in the HTML code on the webpage of the company's internal customer support applications. While the information exposed varies from enterprise to enterprise, it may include private information, such as employee names and ID numbers.

The most sensitive piece of information found by the researchers was the name of an employee's supervisor. Even though this type of information may be in an org chart or employee directory, it could still be used for social engineering with any other information gathered using open source intelligence.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing