
Intercom Security Leak - restfulapi
We published a tool to check if you are exposed to the Intercom security leak: https:&#x2F;&#x2F;github.com&#x2F;constructioncloud&#x2F;intercom-security-checker<p>We were able to hijack historical chat sessions of 8 large Intercom customers (just within 2 hours...) because they haven&#x27;t activated Identity Verification with HMAC (deactivated by default) in Intercom. We already informed those companies.<p>Companies using MySQL and a plain-text, integer userID are exposed the most. Companies using Mongo ObjectIDs are more secure as the render function is less repeatable. The level of privacy breach depends on the information a customer sent via Intercom to an exposed company. If a customer sent her&#x2F;his login details via Intercom, then a hacker can gain access to the account. For example our customers already sent entire email trails via Intercom.<p>We were also able to create thousands of new accounts in a hijacked Intercom app - blowing the next month bill up to $2K and more.<p>Feedback welcome!
======
shimon
If you're not using HMAC signatures and are a significant or paid user of
intercom, get your shit together!

------
danieltillett
I see this has been totally missed by HN.

