Hacker News new | comments | show | ask | jobs | submit login
Intercom Security Leak
14 points by restfulapi 11 months ago | hide | past | web | favorite | 2 comments
We published a tool to check if you are exposed to the Intercom security leak: https://github.com/constructioncloud/intercom-security-checker

We were able to hijack historical chat sessions of 8 large Intercom customers (just within 2 hours...) because they haven't activated Identity Verification with HMAC (deactivated by default) in Intercom. We already informed those companies.

Companies using MySQL and a plain-text, integer userID are exposed the most. Companies using Mongo ObjectIDs are more secure as the render function is less repeatable. The level of privacy breach depends on the information a customer sent via Intercom to an exposed company. If a customer sent her/his login details via Intercom, then a hacker can gain access to the account. For example our customers already sent entire email trails via Intercom.

We were also able to create thousands of new accounts in a hijacked Intercom app - blowing the next month bill up to $2K and more.

Feedback welcome!

If you're not using HMAC signatures and are a significant or paid user of intercom, get your shit together!

I see this has been totally missed by HN.

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact