At least two live chat widgets used on hundreds of high-profile sites are leaking the personal details of company employees.
The vulnerable widgets are used on sites managed by Google, Verizon, Spring, Bank of America, PayPal, Orange, Sony, Tesla, Bitdefender, Kaspersky Lab, Disney, and many others.
The leak occurs when an attacker engages in a live chat session with a support staffer. According to Project Insecurity researchers
Cody Zacharias and
Kane Gamble, the widgets leak information on the support staffer, such as his real name, company email address, employee ID, support center name, location, supervisor name, supervisor ID, or software used by the employee.
Not all companies leak support staffer data
These details vary from company to company, depending on how each business has set up its support widgets, and for some, no information may leak.
Bleeping Computer was able to confirm the leak on several sites, albeit not all we tested were exposing employee data. We will not name the sites where the live chat widgets leaked employee data, for security reasons.
.....
.........
