I had an interesting chat with Intercom support about what I perceived to be a security and privacy hole in their support messenger app, but it turned out that what I thought should be a great concern for them was happening “by design”.
Intercom is a popular customer relations tool, and one of their cool features is the chat messenger app. It adds a little chat icon to the bottom-right of a website and allows real-time chat with customers for help and support. We use it at Receiptful which allows us to chat directly with our users when they are signed-in to our app. It looks like this:
Chats are not private
A few days ago, I was using the Intercom chat app on a website that hosts some of our data. I needed to update some basic settings for our account and asked for help using the Intercom chat while I was signed-in to the service. A common use case for the Intercom chat is to allow support for both anonymous and signed-in users. What I found out is that there is no distinction between these by default.
When I signed out from the website, I noticed that my private chat session was still visible in the “anonymous” chat window. Even after restarting the browser and without signing in to the service, my private chat session was visible.
In other words: If I was on a shared computer, the next person using the browser would be able to see my private chat sessions, even though I signed out from the service where I had the chat in the first place.
Next, I tried to do the same thing on the Intercom website and it was the same deal: All previous announcements and private chats were visible from their frontpage without me signing in:
“This is, in fact, by design”
When I noticed that my private support chats were leaking into the anonymous part of their website, I reported it to Intercom as a possible security hole because I did not think that it was intentional that private chats were visible while being signed out. This is the response from Intercom support:
This is, in fact, by design. We track users using an anonymous cookie, and when they logout that cookie still exists, so we can use that to keep the conversations in the messenger. I think your concern though is interesting, and I’ll forward this as feedback to our Messenger team.
If you’d like to ensure that others won’t see the conversations, I recommend clearing your cookies with us after logging out.
Apologies for the confusion there, it’s clear that sometimes what we think is a good idea isn’t always agreed upon by others.
So the privacy leak is “by design” and I have to remember to clear all my cookies to avoid it. What a joke. Imagine having a private chat on Facebook that was still visible after signing out. That would be quite horrible. Intercom clearly does not see their support chat system as a private conversation, although it most certainly is. In the chats, both my real name and email are used and what is even worse: I can create a new conversation using the same chat window, thereby impersonating whoever was the last one to use the system.
Now to be fair, there is a documented API called
Intercom('shutdown') which clears the user cookie and resets the state of Intercom. However, Intercom does not even use this API themselves and I cannot imagine many websites that do this. So leaking chats are probably quite common.
The bigger picture
I think what really bothered me is that I already knew what Intercom would say when I reported the issue. Before I got the above answer from Intercom, I wrote this message to my colleagues:
The problem with lack of privacy is systemic. In this case with Intercom, usability won over privacy. They thought it was a “good idea” to keep chat windows open even after the user had signed out of their service and in most cases, this decision does not present a problem for the user if they are not on a shared computer. But by asking the questions “should private chats be visible after the user signs out”, “what if the user is on a shared computer” and “how does this relate to the privacy of our users”, I think they would have arrived at a different conclusion.
As developers in an a world of increasing surveillance, we need to ask ourselves questions about privacy when developing our solutions. And if there is an obvious case of private information leaking to a non-secured area, we should most definitely not consider it to be “by design”.
For full transparency, here is a copy of my support chat with Intercom.