Taking Advantage Of Live Chat Leaks

1. + Taking Advantage of Live Chat Leaks +
2.  
3.  
4. Written by Cody Zacharias (@now) and Kane Gamble (@kane_gamble)
5.  
6. ~~~
7.  
8. --[ Table of Contents
9.  
10. 1 - Introduction
11. 2 - Information Disclosure
12. 3 - Proof of Concept
13. 3.1 - LiveChat Software (LiveChatInc)
14. 3.2 - TouchCommerce
15. 4 - Business Impact
16. 5 - Who is Affected?
17.  
18. --[ 1 - Introduction
19.  
20. Kane Gamble and Cody Zacharias discovered information disclosure vulnerabilities
21. in live chat software by LiveChat Software (LiveChatInc), TouchCommerce (formerly
22. inQ, inc. and recently acquired by Nuance Communications), LivePerson, and many
23. others.
24.  
25. Vendors were notified of security issues present in their live chat software, or
26. at least contact attempts were made. Vendors mentioned in this paper have not
27. fixed the vulnerabilities disclosed.
28.  
29. --[ 2 - Information Disclosure
30.  
31. Each live chat software is affected the same way. Significant information about
32. the employee/agent you're communicating with is detailed in the responses of
33. POST requests that are made when chatting with the agent. The information
34. disclosure bugs in the live chat software exist because there are no steps taken
35. to prevent information about the person you're chatting with from being mentioned
36. in the responses.
37.  
38. The type of information being disclosed is dependent on the company/website
39. using the live chat software. Some examples of information we've seen being
40. disclosed include:
41.  
42. - Employee's full name
43. - Employee's supervisor and managers
44. - Employee's ID
45. - Employee's supervisor and manager's employee ID
46. - Employee's location
47. - Center name
48. - Employee's email
49. - Indications of other tools/programs the employee is using
50.  
51. This data can be retrieved by inspecting the requests made during a live
52. chat session with browser networking tools or Burp Suite.
53.  
54. --[ 3 - Proof of Concept
55.  
56. Parts of each sample have been redacted with ****.
57.  
58. ----[ 3.1 - LiveChat Software (LiveChatInc)
59.  
60. This sample is taken from Google Fiber's live chat. The information being disclosed
61. include the employee's name and email address belonging to their account. In some
62. cases, the email address disclosed is a personal email, not a work email address.
63.  
64. jQuery111304544368839391404_1501150342048({"messages":[{"timestamp":1501150382,"unique_id":2,"message":{"name":"start_chat","data":{"visitor":{"id":"S1501150342.5b78b0fe92","nick":"GoD","email":"GoD@mail.com"},"group":2,"source_group":2,"version":"Embedded","custom_variables":{},"integration_params":"","from_manual_invitation":false,"trigger_unique_id":"","welcome_message":"Hello GoD, one moment while we connect you with a Google Fiber team member. ","is_mobile":false,"return_secured_session_id":false,"random_id":"1501150381705RiVFZ16"}}},{"timestamp":1501150382,"unique_id":1,"message_iwcs":"FUC00002K^si*****x@google.com^C****^0^911595^^^0^^0^0^^FU014420CK^1^^^si*****x@google.com;^0^^^^1^1^livechat.s3.amazonaws.com/7251891/avatars/fd8043b7ab99171c3297865686ee6325.png^^Support Agent^"}]});
65.  
66. ----[ 3.2 - TouchCommerce
67.  
68. This sample is taken from Verizon's live chat. The information being disclosed include
69. the employee's full name, employee ID, supervisor's name, supervisor's EID, managers,
70. center name and location. There is also indication that the employee is using CoFEE,
71. a Verizon employee tool used to lookup customer records.
72.  
73. {"messages":[{"state":"assigned","agentID":"3********1@verizon","agent.alias":"Daley","messageType":"stateChange","agentGroupID":"1000****","engagementID":"725742275********","host.node.id":"172.31.10.26","public_user_id":"42314***","agentAttributes":"CoFEE=true,CenterType=Partner,AgentSalesCode=VZID,Director=LUCAS_*****,Team=W******N_G***GE,Vendor=Tech ********a,OpsManager=S**********H,SupervisorEID=028********,AgentLocation=H**********,CenterName=D**************M Hyd","agent.site_attrs":"CoFEE=true,CenterType=Partner,AgentSalesCode=VZID,Director=LUCAS_******,Team=W********N_G****E,Vendor=Tech *****a,OpsManager=S*********H,SupervisorEID=028*******,AgentLocation=H***********,CenterName=D**************M Hyd","business_unit.id":"1900****","cobrowse.enabled":"true","ar_event_send_time":"1522595864750","chatrouter.address":"172.31.10.26","event.agent_last_name":"B******","event.agent_first_name":"Daley","msg.originalrequest.id":"727994074616*****","event.initial_request_attributes":""}], "count":3}
74.  
75. --[ 4 - Business Impact
76.  
77. The type of information being exposed is everything a person would need to successfully
78. perform social engineering attacks against the company by using an employee's real
79. information such as their full name, employee ID and supervisor's name to impersonate them.
80. This could lead to somebody gaining access to employee tools and even allow them to gain a
81. foothold in the internal network.
82.  
83. --[ 5 - Who is Affected?
84.  
85. Some companies affected using TouchCommerce live chat [1]:
86. - Sprint, AT&T, Verizon, Bell, Cox Communications, Bank of America, Merrill Lynch, Citizen's Bank, etc.
87.  
88. Some companies affected using LiveChat Software [2]:
89. - Google Fiber, Kaspersky Labs, Bitdefender, TorGuard VPN, etc.
90.  
91. [1] http://web.archive.org/web/20160618000435/http://www.touchcommerce.com:80/about-us/select-client-list
92. [2] https://www.livechatinc.com/customers/