0x04 - Reading Intercom Widget Messages
Did you know you can read the chat messages of other users in the Intercom Widgets with just 2 JavaScript commands?
Intercom is a very popular chat widget used by applications to provide customer support.
However, due to a common misconfiguration (identity verification not enabled) it's possible to impersonate any email address and read previous conversations.
Here is just an example of how it can be used to take over accounts https://dday.us/2021/11/03/h1vendorATO.html
How to do it
Open browser developer tools
Run
𝐈𝐧𝐭𝐞𝐫𝐜𝐨𝐦('𝐬𝐡𝐨𝐰');
to check if the widget is usedIf the widget shows up, run
𝐈𝐧𝐭𝐞𝐫𝐜𝐨𝐦('𝐛𝐨𝐨𝐭', { 𝐞𝐦𝐚𝐢𝐥: '<𝐯𝐢𝐜𝐭𝐢𝐦_𝐞𝐦𝐚𝐢𝐥>' });
Open the chat and check for old conversations
If there are no old conversation, the target email has not been used in previous conversations.
If you get Intercom Messenger error: Missing user_hash. A valid user_hash is required
-> Not vulnerable