The live chat scripts embedded in the websites of businesses across a variety of industries are leaking the full name, employee ID, and location of employees.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- An exploit allows hackers to see employee information about support agents using the LiveChat and TouchCommerce platforms.
- The information would be particularly useful in social engineering attacks, potentially allowing hackers deeper access to internal corporate tools.
LiveChat and TouchCommerce—two popular platforms for providing live chat solutions for sales and customer support use cases—have been found to leak employee information, according to independent security researchers Cody Zacharias and Kane Gamble. According to the disclosure, the leaked information can include the full name and ID of an employee, the full name and ID of supervisors and/or managers of that employee, the employee's location and email address, the center name, and what tools or programs the employee is using.
The information is included in the POST requests made by the chat script when communicating with a support or sales agent. According to the researchers, the information can be viewed by using browser networking tools, or a debugging package such as Burp Suite.
Depending on the exact way that each company licensing this technology implements the chat services, the exact nature of the information being transmitted varies. The researchers indicate that the leaked information "is everything a person would need to successfully perform social engineering attacks against the company," adding that: "This could lead to somebody gaining access to employee tools and even allow them to gain a foothold in the internal network."
SEE: Information security incident reporting policy (Tech Pro Research)
Zacharias and Gamble claim to have contacted LiveChat and Nuance Communications, which acquired TouchCommerce in 2006, about the vulnerability. The report indicates that the vendors have not fixed the vulnerability, but does not indicate the length of time between notification and this public disclosure.
The potential impact from this vulnerability is moderately high, given the number of large, high-profile organizations that use the two named live chat solutions. The disclosure names Sprint, AT&T, Verizon, Bell, Cox Communications, Bank of America, Merrill Lynch, and Citizens Bank as having deployed TouchCommerce; and Google Fiber, Kaspersky Labs, Bitdefender, and TorGuard VPN as using LiveChat software. The market research firm HG Data shows 717 companies using TouchCommerce, among them Esurance and MetLife; and 8,532 using LiveChat, including BMW, HostWinds, and Ricoh.
Kane Gamble, one of the researchers who discovered the issue, is a former black-hat hacker who is well-versed in social engineering attacks. Between June 2015 and February 2016, at the age of 15, Gamble targeted then-CIA chief John Brennan, FBI deputy director Mark Giuliano, and Homeland Security secretary Jeh Johnson. He gained access to Brennan's personal AOL email account, and was able to listen to voicemails and send texts from Johnson's personal cell phone, according to a report from The Independent.
Update: A representative from LiveChat told TechRepublic "we're preparing a fix to make the personal data of employees impossible to expose while chatting via LiveChat." The representative also claimed that compared to TouchCommerce, "The leak allows only to discover the email address of the agent you are chatting with." TechRepublic has not independently verified that claim.
- The secret to being a great spy agency in the 21st century: Incubating startups (cover story PDF) (TechRepublic)
- Cambridge Analytica: The bad poster-child for data misuse (ZDNet)
- Chaos Engineering: A cheat sheet (TechRepublic)
- Iranian hackers breach Singapore universities to access research data (ZDNet)
- Panera Bread website leaked customer data for 8 months, 'fix' failed to patch flaw (TechRepublic)