Live Chat Widgets Leaks Personal Details of Employees of Big Companies

Two researchers from Project Insecurity Cody Zachariasand Kane Gamble, have discovered a security loophole on widgets of live chat that leaks the personal data on the particular firm employees.

At the mean time two of the live chat widgets that are used on hundreds of high profiled websites including Google and  PayPal, were found leaking the employees personal data.
The vulnerable widgets are used on sites managed by Google, Verizon, Spring, Bank of America, PayPal, Orange, Sony, Tesla, Bitdefender, Kaspersky Lab, Disney, and many others.

According to the Cody and Kane, leak occurs when an attacker engages in a live chat session with a support staffer. And these leaks include  real name, company email address, employee ID, support center name, location, supervisor name, supervisor ID, or software used by the employee.
Cody and Kane said-
"The type of information being exposed is everything a person would need to successfully perform social engineering attacks against the company by using an employee's real information such as their full name, employee ID and supervisor's name to impersonate them,"
"This could lead to somebody gaining access to employee tools and even allow them to gain a foothold in the internal network," - further they added.
 Initially researcher had reported the security issue to leaky widgets vendors but still it was not patched. But after the security advisory published Live Chat have acknowledged the issue and promised to patch it.
Till yet researchers have not published the technical details of bug and neither posted exploit code. May be full technical details may come after vendor patch the issue  

Post a Comment

With ❤️ Cyber Kendra