At least two live chat widgets used on hundreds of high-profile sites are leaking the personal details of company employees.
The vulnerable widgets are used on sites managed by Google, Verizon, Spring, Bank of America, PayPal, Orange, Sony, Tesla, Bitdefender, Kaspersky Lab, Disney, and many others.
The leak occurs when an attacker engages in a live chat session with a support staffer. According to Project Insecurity researchers Cody Zacharias and Kane Gamble, the widgets leak information on the support staffer, such as his real name, company email address, employee ID, support center name, location, supervisor name, supervisor ID, or software used by the employee.
These details vary from company to company, depending on how each business has set up its support widgets, and for some, no information may leak.
Bleeping Computer was able to confirm the leak on several sites, albeit not all we tested were exposing employee data. We will not name the sites where the live chat widgets leaked employee data, for security reasons.
"The type of information being exposed is everything a person would need to successfully perform social engineering attacks against the company by using an employee's real information such as their full name, employee ID and supervisor's name to impersonate them," Zacharias and Gamble said.
"This could lead to somebody gaining access to employee tools and even allow them to gain a foothold in the internal network," the researcher added.
This is massive!! If you haven’t seen it already, look at the PRELIMINARY sample of places this affected pic.twitter.com/F3Hyn3U8rT— uɐpʇou@ ✸ (@notdan) April 3, 2018
Researchers said the companies behind the leaky live chat widgets are LiveChat and TouchCommerce (now part of Nuance).
These two service a long list of companies across many industry verticals. Some of the companies running live chat widgets from the two aforementioned are listed here, but more complete lists are available on each widget provider's homepage [1, 2].
Zacharias and Gamble said they notified the companies behind the leaky live chat widgets, but the flaws remained unpatched yesterday, when the team at Project Insecurity, an infosec education platform, published a security advisory.
Bleeping Computer has also reached out for comment from the two live chat widget providers. A LiveChat spokesperson acknowledged the security flaw and promised a patch.
The Project Insecurity advisory also listed LivePerson as a vulnerable service, but researchers did not publish a proof of concept, nor were we able to reproduce a leak on sites using a LivePerson chat widget (we only tested three sites, though).
This is not the first time when a live chat widget provider has faced problems. On Thanksgiving last year, the infrastructure of LiveHelpNow was compromised by a hacker who deployed a copy of the Coinhive in-browser mining script on around 1,500 sites where the widget was being loaded to provide live support capabilities.
Update 4/8/18: A LiveChat representative stated that the patch is live now and "now is impossible to expose the email address of employees while chatting via our service".