HubSpot Ideas

knelson

security concerns with Chats maintaining previous chat texts

We use the HubSpot Chats to both authenticate (id and security questions/answers) and discuss private information with clients.  Currently HS Chat function maintains previous chat text which usually have both authentication and private information listed from clients previous connection.  If the client's computer was accessed by an unauthorized user, then that unauthorized user would have access to both this authentication and private information.

    We'd like to see a profile option to not allow previous texts to be able to be viewed by our external clients, but instead just accessable by us.  It should also treat each chat session as a new session if we close out the chat from our side (not when the external client select the X though) allowing our BOT authentication questions to be presented with every chat.

    This is s significant concern due to the securiry vunerabilty related to it.

6 Comentarios
amosesso1
HubSpot Employee

Hello! Thank you for your comment. I can certainly see how this would be a concern, especially when using Chat as a Support solution in the way you described. Our engineering teams are currently working on updating the behavior of a chat window once the conversation is terminated, and giving our customers the ability to clear out the visitor widget on chat close is part of that. However, it is important to note that the Live Chat feature is not setup to function as a Support tool, and we do not recommend using it as such. Collecting and storing sensitive information is against our Terms of Service (https://legal.hubspot.com/terms-of-service), and this includes authentication information like usernames, passwords, and security questions/answers. Also, it is generally not best practice to share sensitive information over a channel that can be accessed by other users, in this case that would be other users on your portal. 

Thanks again for pointing this out. If you have other observations about security-relevant behaviors, you can get in touch with HubSpot’s Security team directly through our bug bounty program. Information about the bug bounty program is available at https://bugcrowd.com/hubspot.

 

Anthony

HubSpot Security

Estado actualizado a: In Planning
cdewey22
Equipo de producto de HubSpot

Hi all- 

 

We are working on visitor verification feature, which will allow you to let us know that you have authenticated the visitor and than can show them the threads/previous conversations related to them. We also will have an API to clear the cookies for that visitor to give you more control over when to expire that session for the customer and clear the history. That API is currently available via
https://developers.hubspot.com/docs/methods/conversations_api/hubspot-conversations-javascript-api#c...

 

 

MikaelMortensen
Miembro

Hi there,

I'm currently looking for a ticket and chat system, and think that Hubspot looks great, and has great features.

 

I've allready bought a Hubspot module for my Prestashop and tested it on my website. Works great!

But I really need the feature, that the chat windows clears after ended browser session, or when the chat is closed. It's not acceptable that an "old" conversation is shown, if another user opens the site on the same browser.

 

Du you have any idea, as of when this feature will be available?

Best regards,
Mikael

cdewey22
Equipo de producto de HubSpot

@MikaelMortensen  We have an API that is about to go into beta that will allow you to control when to clear the cookie and the previous history from the chat widget once the conversation has ended. I will follow up via email with you to provide the details of that solution once it is ready. 

 

Thanks! 

 

Cassie

MikaelMortensen
Miembro

@cdewey22Sounds great - Thank you!

Best regards,
Mikael

MikaelMortensen
Miembro

Hi again,

My old chat and ticket system is closing down, and I'm now looking for a new system.

Do you have any news regarding the "clear chat history when ending chat" function?

I'm not into API, so it would be nice if the chat history cookie could be disabled in the settings section of Hubspot.

Best regards,
Mikael