intercom-rails icon indicating copy to clipboard operation
intercom-rails copied to clipboard
verified publisher icon intercom

Shutdown not working properly

Open joofsh opened this issue 5 years ago • 0 comments

Version info

  • intercom-rails version: 0.3.5
  • Rails version: 5.2

Expected behavior

Calling IntercomRails::ShutdownHelper.prepare_intercom_shutdown(session) on logout should close/expire the Intercom session

Actual behavior

Two issues with this:

  • According to the documentation this should be sufficient, but this method simply sets a session variable, in order to delete the cookie you also need to call the intercom_shutdown method.
  • According to a recent penetration test of ours, this creates a security vulnerability. This is because calling intercom_shutdown simply deletes the cookie from the current session, but the session is still active on Intercom's end. According to intercom's documentation, the proper way to end a session is by calling their javascript libraries Intercom('shutdown')

Steps to reproduce

  1. Copy a network request to intercom when sending a message
  2. Logout, triggering the gem's intended shutdown code
  3. Resend a similar request. You can continue to send messages to Intercom

Logs

joofsh avatar Jun 29 '20 19:06 joofsh