security concerns with Chats maintaining previous chat texts

: In Planning
knelson
Submitted by knelson on ‎01-18-2019 01:22

We use the HubSpot Chats to both authenticate (id and security questions/answers) and discuss private information with clients.  Currently HS Chat function maintains previous chat text which usually have both authentication and private information listed from clients previous connection.  If the client's computer was accessed by an unauthorized user, then that unauthorized user would have access to both this authentication and private information.

    We'd like to see a profile option to not allow previous texts to be able to be viewed by our external clients, but instead just accessable by us.  It should also treat each chat session as a new session if we close out the chat from our side (not when the external client select the X though) allowing our BOT authentication questions to be presented with every chat.

    This is s significant concern due to the securiry vunerabilty related to it.

See more ideas labeled with:
HubSpot updates
security concerns with Chats maintaining previous chat textsHubSpot Product Team
changed to: In Planning
04-09-2019

Hi all- 

 

We are working on visitor verification feature, which will allow you to let us know that you have authenticated the visitor and than can show them the threads/previous conversations related to them. We also will have an API to clear the cookies for that visitor to give you more control over when to expire that session for the customer and clear the history. That API is currently available via
https://developers.hubspot.com/docs/methods/conversations_api/hubspot-conversations-javascript-api#clear

 

 

2 Replies
amosesso1
amosesso1
New Contributor
‎02-04-2019 11:20

Hello! Thank you for your comment. I can certainly see how this would be a concern, especially when using Chat as a Support solution in the way you described. Our engineering teams are currently working on updating the behavior of a chat window once the conversation is terminated, and giving our customers the ability to clear out the visitor widget on chat close is part of that. However, it is important to note that the Live Chat feature is not setup to function as a Support tool, and we do not recommend using it as such. Collecting and storing sensitive information is against our Terms of Service (https://legal.hubspot.com/terms-of-service), and this includes authentication information like usernames, passwords, and security questions/answers. Also, it is generally not best practice to share sensitive information over a channel that can be accessed by other users, in this case that would be other users on your portal. 

Thanks again for pointing this out. If you have other observations about security-relevant behaviors, you can get in touch with HubSpot’s Security team directly through our bug bounty program. Information about the bug bounty program is available at https://bugcrowd.com/hubspot.

 

Anthony

HubSpot Security

cdewey22
HubSpot Product Team
HubSpot Product Team
‎04-09-2019 11:40
updated to: In Planning

Hi all- 

 

We are working on visitor verification feature, which will allow you to let us know that you have authenticated the visitor and than can show them the threads/previous conversations related to them. We also will have an API to clear the cookies for that visitor to give you more control over when to expire that session for the customer and clear the history. That API is currently available via
https://developers.hubspot.com/docs/methods/conversations_api/hubspot-conversations-javascript-api#c...