Live Chat Widgets Leak Employee Details From High-Profile Companies
At least two live chat widgets used on hundreds of high-profile sites are leaking the personal details of company employees.
The vulnerable widgets are used on sites managed by Google, Verizon, Spring, Bank of America, PayPal, Orange, Sony, Tesla, Bitdefender, Kaspersky Lab, Disney, and many others.
The leak occurs when an attacker engages in a live chat session with a support staffer. According to Project Insecurity researchers Cody Zacharias and Kane Gamble, the widgets leak information on the support staffer, such as his real name, company email address, employee ID, support center name, location, supervisor name, supervisor ID, or software used by the employee.