Two researchers from Project Insecurity Cody Zachariasand Kane Gamble, have discovered a security loophole on widgets of live chat that leaks the personal data on the particular firm employees.
Till yet researchers have not published the technical details of bug and neither posted exploit code. May be full technical details may come after vendor patch the issue
At the mean time two of the live chat widgets that are used on hundreds of high profiled websites including Google and PayPal, were found leaking the employees personal data.
The vulnerable widgets are used on sites managed by Google, Verizon, Spring, Bank of America, PayPal, Orange, Sony, Tesla, Bitdefender, Kaspersky Lab, Disney, and many others.
According to the Cody and Kane, leak occurs when an attacker engages in a live chat session with a support staffer. And these leaks include real name, company email address, employee ID, support center name, location, supervisor name, supervisor ID, or software used by the employee.
[EXPLOIT] - Information Disclsosure affecting TouchCommerce and LiveChatInc (leak employee info + access private tools)— PROJECT INSECURITY (@insecurity) April 3, 2018
Writeup: https://t.co/NjisnOoWjG
Vulnerable sites include Google Fiber, various major banks, various major ISP's, TorGuard VPN and more. pic.twitter.com/9pvhN4yrxy
Cody and Kane said-
"The type of information being exposed is everything a person would need to successfully perform social engineering attacks against the company by using an employee's real information such as their full name, employee ID and supervisor's name to impersonate them,"
"This could lead to somebody gaining access to employee tools and even allow them to gain a foothold in the internal network," - further they added.Initially researcher had reported the security issue to leaky widgets vendors but still it was not patched. But after the security advisory published Live Chat have acknowledged the issue and promised to patch it.
Hi! Thanks a lot for letting us know. We’re preparing a fix to make the personal data of employees impossible to expose while chatting via LiveChat. Our team is going to implement it as soon as possible. Once we are able to confirm that the fix works properly, we’ll let you know.— LiveChat Status (@LiveChatStatus) April 4, 2018