Summary
Messages in the app.wiremock.cloud live chat can be viewed or sent using a forged email address.
Details
Identify verification is not enabled in your Intercom account.
PoC
In this example I'm using an intercepting proxy called Burp Suite. But you could also use Chrome developer tools to copy requests as a curl command and manipulate them.
- Login to app.wiremock.cloud and send a message in Intercom
- In Burp Suite, look for a request to
https://api-iam.intercom.io/messenger/web/conversations and send it to the repeater tool
- Change the
user_data parameter to {"email":"[email protected]"}
- Send the request. You will see all the messages sent by Tom in the live chat.
Impact
Potentially confidential messages can be viewed, users can be impersonated in messages.
Mitigation
Intercom's identity verification feature was enabled and user details are now sent to Intercom with an HMAC hash generated by WireMock Cloud's backend, ensuring they haven't been tampered with.
lboynton Reporter
Summary
Messages in the app.wiremock.cloud live chat can be viewed or sent using a forged email address.
Details
Identify verification is not enabled in your Intercom account.
PoC
In this example I'm using an intercepting proxy called Burp Suite. But you could also use Chrome developer tools to copy requests as a curl command and manipulate them.
https://api-iam.intercom.io/messenger/web/conversationsand send it to the repeater tooluser_dataparameter to{"email":"[email protected]"}Impact
Potentially confidential messages can be viewed, users can be impersonated in messages.
Mitigation
Intercom's identity verification feature was enabled and user details are now sent to Intercom with an HMAC hash generated by WireMock Cloud's backend, ensuring they haven't been tampered with.