This is a copy of a support chat between Intercom and myself. It's referred to from a blog post I wrote here.
Hello there
I wanted to make a report of what I believe to be a security hole in your app.
I recently had a support chat session with a service I use while being logged-in.
After I logged-out, the same support chat was still visible
I tried closing my browser and opening the same page without logging in to the service and the support chat was still active.
In other words, someone else using my browser would be able to see my private support chat!
Now this service uses the Intercom widget both for logged-in and non-logged support chats which seems pretty common, so just to be sure that they didn't seem to do anything wrong, I peeked at the source of the page.
- When logged-out, window.intercomSettings were only initialized with the app_id, nothing else...
- When logged-in, the same settings also contains my email address and user hash as expected.
I suspect this service is not calling shutdown upon logging me out of their site, but something like this should really not just be left up to the user to handle in my opinion. I look forward to your response.
Hey David,
It sounds like what you are experiencing is, in fact, intended behavior based on the way we have cookies operate in a web app. It's worth having a discussion though on this. Basically, are you seeing conversations you had as a user after logging out? Just want to confirm this behavior.
Yes, that is correct. Case in point: I just opened my browser, went to your main website here at intercom.io and without signing in, your message popped up.
In other words, if I was another person using the same browser, I would see all the private support chats from the previous person using the browser.
It's very easy to reproduce on your site:
- Sign-in
- Have a private support chat
- Sign-out
- Close the browser
- Reopen the browser on your main website
- Voila, without signing in, I can see all the same chats from before.
If this is by design, then I'm going to never ever use an Intercom chat window again -- at least not on a shared computer. Knowing that someone else can read my private chat logs. That's super scary!
Cheers
This is, in fact, by design. We track users using an anonymous cookie, and when they logout that cookie still exists, so we can use that to keep the conversations in the messenger. I think your concern though is interesting, and I'll forward this as feedback to our Messenger team.
If you'd like to ensure that others won't see the conversations, I recommend clearing your cookies with us after logging out.
Apologies for the confusion there, it's clear that sometimes what we think is a good idea isn't always agreed upon by others.
Cheers,
Hey David, are you there? I see you typing but I don't see any replies.
Thank you for your honesty, I was very afraid you might say that "it's by design". That's very disappointing.
Once again, here I am, opening up your frontpage without signing in, and I see all my conversation from past. I even see multiple "Hi David" announcements (see attachment) from before.
At this point, it would be very easy to impersonate me, which is essentially what I am doing to myself right now, i.e. I am continuing a chat session as if I am David, but how can you actually know that? Because you expected the real David to remember to delete all cookies?
There is an expectancy that certain things stay around and other things don't. Sure, if I click "remember me" on a sign-in form, I have to remember to sign-out, otherwise I will be still signed-in next time I open that page. But for a support chat window that recalls and shows all previous chats when I sign-in, I would expect them to stay visible only while signed-in, disappear when I sign-out and absolutely not show up again once I restart my browser the next day.
When using Intercom with some service (yours included) there's no warnings about what you should say or not say so while I would probably never put in my credit card, I would certainly expect that I could get very specific help from you regarding my usage of Intercom, including giving you names, emails, user IDs, etc.
Is it really that far-fetched to think this would happen on a shared workstation? I don't think it is.
What a tragedy this is for privacy that you consider it "by design" that someone else can go into my browser and start impersonating me in a support chat -- just because I didn't delete all my cookies when I closed my browser.
Finally, it seems that you might be breaching your own privacy policy. At least it's on the border of a breach. There's two sections that I find interesting. First, section IV. D. reads "... you will be notified when your Personal Information may be shared with third parties, and will be able to prevent the sharing of this information." Since my information is available to 3rd parties (other people using my browser) and I wasn't notified, that seems a violation of that policy.
Second, you seem to give some advice in the policy on how to protect oneself in section V.: "You must prevent unauthorized access to your account and Personal Information ... by signing off after you have finished accessing your account."
Signing off is exactly what I did but that didn't prevent this personal chat and my name from showing up again. That's a very clear breach of that policy to me -- maybe you should revise it and say that you share Personal Information "By Design" or you should amend the privacy policy to read: "Delete all your cookies, all your browser history, all your things, and you should probably also reinstall your browser after using our service"
I hope you guys have fun reading this. I mean well, although I am extremely disappointed.
Cheers
Yeah just took me a long time to write it all out ;)
Hey David, I believe I have a workaround for you.
I just did some investigating to see if it were possible to automatically clear out conversations after logging out, and it absolutely is.
What you'll want to use is the Javascript API after a user logs out. When loading the first logged-out page, you'll want to:
- Have the Intercom library loaded
- Once loaded, call Intercom('shutdown')
- Call Intercom('boot', {app_id: 'YOUR_APP_ID'})
This will clear out conversations associated with your user after exiting Intercom. I realized the my suggestion was a bad one (cookie clearing), but I had forgotten that we provide this option for users. Can you give that a go and let me know if it works out?
This might resolve the core issue here.
First, I'm aware of that function, and I already mentioned it earlier in this support chat: "I suspect this service is not calling shutdown upon logging me out of their site, but something like this should really not just be left up to the user to handle in my opinion."
Second, you're not drinking your own kool aid. The problem is not with our website, but yours (and others).
When I sign out in a few minutes and restart my browser, this chat with you will pop up again once I go to your frontpage (without signing in)
Thanks anyway for looking into it.
Understood David.
Other than pinging my PM in on this issue and having him consider your feedback, I'm not sure there's much I can do here -- what I can recommend is to avoid sharing personal or sensitive information in these conversations with your users, or with us (we'll often hard delete API Keys or heavily suggested that the user recycles them should they decide to share it with us, for example). It seems you understand this already though.
I appreciate your feedback, and I've passed it to our acquire team!