| ||Intercom Security Leak|
14 points by restfulapi 7 months ago | hide | past | web | favorite | 2 comments |
|We published a tool to check if you are exposed to the Intercom security leak: https://github.com/constructioncloud/intercom-security-checker|
We were able to hijack historical chat sessions of 8 large Intercom customers (just within 2 hours...) because they haven't activated Identity Verification with HMAC (deactivated by default) in Intercom. We already informed those companies.
Companies using MySQL and a plain-text, integer userID are exposed the most. Companies using Mongo ObjectIDs are more secure as the render function is less repeatable. The level of privacy breach depends on the information a customer sent via Intercom to an exposed company. If a customer sent her/his login details via Intercom, then a hacker can gain access to the account. For example our customers already sent entire email trails via Intercom.
We were also able to create thousands of new accounts in a hijacked Intercom app - blowing the next month bill up to $2K and more.
| Apply to YC