Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

LiveChatInc.com breached
From: warning () type-error net
Date: Wed, 24 Oct 2012 09:39:30 -0700

A while back, LiveChat, Inc was breached via a very simple web
exploit. Their customers were never notified to update their password
or information.

Details:
LiveChatInc.com allows businesses to offer chat services intergrated
to their web platform. Via the customer's panel, one can reset a
password. LiveChatInc.com fail to check input properly and you can
reset ANY user account, but also specify your return email for the
link. Also work with password set fields. This exploit was used to
compromise the actual administrators of LiveChatInc.com and add an
admin user that can see ALL ACCOUNTS from ALL THEIR CUSTOMERS.
Basically, very bad mojo.

There are many more bugs to be found. Go ahead and sign up for a free
trial account if you like to verify. Image File Upload, XSS, and CSRF.
Maybe they get smarter in the future?

https://www.livechatinc.com/signup/

The customers that they didn't notify and may have been attacked using
this trust relationship are as follows:
* Adobe
* Netgear
* France Telecom-Orange
* Roku
* LunarPages
* BBB
* Bosch
* and many more!

#warning

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • LiveChatInc.com breached warning (Oct 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault