Recent searches

No recent searches

Security exploit in classic chat widget?

image avatar

Jess Shannon

Posted Jun 06, 2024

I've noticed on one of my clients sites that they have a cookie of __zlcmid. Zendesk docs say it's the session id, and I believe it's from the classic widget.

 

It's not set to secure, so will be passed over HTTP connections.

 

I think there's a clear exploit here where an attacker may have control over a WiFi network, they would only need to get the user to open a http:// link to the target site, and they would be able to steal their Zendesk chat session.

 

This session may have been authenticated in the app, or the user may have previously proven their identity to the support agent. The attacker could then pose as an authenticated user and convince the agent to reveal personal info or change info on their account.

0

1

1 comment

Date
    Newest
      image avatar

      Greg Katechis

      Hi Jess!
       
      I didn't have a good answer for this question, so I reached out to our product team that handles this area and they shared the following response with me. I'll just post it verbatim from them so that I don't make a mistake rewording it:
       

      There are two types of end-users in Chat with respect to authentication:

      1. Authenticated Users: Only the business-supplied details are used to identify an end user. This is achieved by the customer maintaining a signing server. Further details can be found here (https://support.zendesk.com/hc/en-us/articles/4408838925082-Enabling-authenticated-visitors-in-Web-Widget-Classic). Agents are not able to modify their details either. Identification is possible across multiple devices, as long as the business identifies them as the same users.
      2. Non-authenticated Users: Unverified users, who may or may not have any identification information attached to them. This is the default behavior in Chat. Identification is based on a cookie, and does not carry across devices. Within this, there are two subtypes:
        1. Anonymous visitors: No identifying information is available about these end-users except the cookie. Chat attaches a random ‘Visitor 1234567890’ name to these, with the numerical part being random for each end-user.
        2. Self-identified visitors: In cases where a business modifies a user’s information, or there is a pre-chat form involved, an end-user can supply their name, email address and phone number. No further verification is done on this information, and the onus is on the business to verify this, if they choose to. Some businesses do this with a further OTP flow to the email/phone number.

       

      There is clear UX differentiation between these types of end users, providing agents a clear signal of whether an end-user is authenticated.

      1. Legacy Chat: In Legacy Chat, authenticated end-users have a green authenticated checkmark overlay on their avatar, as noted here. Agents are not able to modify their profile information. The only way to do so would be to use the APIs to re-identify the end-user. (https://support.zendesk.com/hc/en-us/articles/4408838925082-Enabling-authenticated-visitors-in-Web-Widget-Classic#topic_jsx_cvq_4fb)
      2. Chat in Agent Workspace: In Agent Workspace, authenticated end-users also have a green authenticated checkmark during the course of an ongoing conversation, greatly reducing the risk of social engineering. This is in the form of a similar green authenticated checkmark next to their name in the ongoing chat log.

      0

      Sign in to leave a comment.

      Didn't find what you're looking for?

      New post