You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Calling IntercomRails::ShutdownHelper.prepare_intercom_shutdown(session) on logout should close/expire the Intercom session
Actual behavior
Two issues with this:
According to the documentation this should be sufficient, but this method simply sets a session variable, in order to delete the cookie you also need to call the intercom_shutdown method.
According to a recent penetration test of ours, this creates a security vulnerability. This is because calling intercom_shutdown simply deletes the cookie from the current session, but the session is still active on Intercom's end. According to intercom's documentation, the proper way to end a session is by calling their javascript libraries Intercom('shutdown')
Steps to reproduce
Copy a network request to intercom when sending a message
Logout, triggering the gem's intended shutdown code
Resend a similar request. You can continue to send messages to Intercom
Logs
The text was updated successfully, but these errors were encountered:
Version info
Expected behavior
Calling
IntercomRails::ShutdownHelper.prepare_intercom_shutdown(session)on logout should close/expire the Intercom sessionActual behavior
Two issues with this:
intercom_shutdownmethod.intercom_shutdownsimply deletes the cookie from the current session, but the session is still active on Intercom's end. According to intercom's documentation, the proper way to end a session is by calling their javascript librariesIntercom('shutdown')Steps to reproduce
Logs
The text was updated successfully, but these errors were encountered: