Jump to content

Live Chat Widgets Leak Employee Details From High-Profile Companies


Recommended Posts

At least two live chat widgets used on hundreds of high-profile sites are leaking the personal details of company employees.




The vulnerable widgets have been found on sites managed by Google, Verizon, Spring, Bank of America, ING, PayPal, Orange, Sony, Tesla, Bitdefender, Kaspersky Lab, Disney, and many others.

The leak occurs when an attacker engages in a live chat session with a support staffer. According to Project Insecurity researchers Cody Zacharias and Kane Gamble, the widgets leak information on the support staffer, such as his real name, company email address, employee ID, support center name, location, supervisor name, supervisor ID, or software used by the employee.

Not all companies leak support staffer data

These details vary from company to company, depending on how each business has set up its support widgets, and for some, no information may leak.

Bleeping Computer was able to confirm the leak on several sites, albeit not all we tested were exposing employee data. We will not name the sites where the live chat widgets leaked employee data, for security reasons.




"The type of information being exposed is everything a person would need to successfully perform social engineering attacks against the company by using an employee's real information such as their full name, employee ID and supervisor's name to impersonate them," Zacharias and Gamble said.

"This could lead to somebody gaining access to employee tools and even allow them to gain a foothold in the internal network," the researcher added.


Link to comment
Share on other sites

  • Replies 0
  • Views 256
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...