We developed a webchat widget version 1.0 in a webpage of our client, it integrates cobrowse and screen sharing. They were performing the security testing over the functionalities and they found the following. Appreciate your help and suggestions in order to hotfix those:
When our partner tested the chat widget and stablished a session, they probed that in both agent-side and customer-side can send a not desirable link that redirects the counterside to a URL that could be malicious.
And when they tested the Cobrowse functionalities, as agents we were able to modify the monitoring URL of the webpage the customer was shared with them. In consequence, in the customer side, the customer could be redirected to a non desirable webpage.
How can we avoid those?
NOTE: I modified the original post to avoid misunderstandings. This is the correct meaning of the vulnerabilities found. I appreciate your understanding.
Typically agent issues would be solved via training and quality/workforce management capabilities. PureCloud cannot stop agents from sending all incorrect information.
The first question here would be why are these agents sending malicious URLs?
Off course, I am agree. But it is not the meanning I wanted to express. Sorry if I did not express my ideas correctly, I will modify the first post in order to clarify it. But we mean the agent in those cases as the role they played in the testing, possibly not in the second issue, but in the first one the agent can receive one of those malicious links and the agent could open it and navigate to a malicious URL. These issues are refered as a vulnerabilities that can alter the ContactCenter side security, and our partner identified those.
Surely our partner is looking for a solution that this widget can offer to them that filters the kind of content can share in a chat session both from the client-side or the agent-side. The content that will be allowed to share is all URLs that contains our partner´s domain. I will redirect this to our partners to clarify their meannings.
Do the chat have a parameter or configuration to do that? Or they haver to get their solution secured by configuring the Firewall and IT infrastructure?
When our partner tested the chat widget and stablished a session, they probed that in both agent-side and customer-side can send a not desirable link that redirects the counterside to a URL that could be malicious.
(Lucie) Yes, you can also do the same via a call, via an email, via an SMS or direct message. We can't assume employees are malicious actors. Agents should also not click on suspicious links that come from end customers. That said, if there is a desire to restrict URLs to a specific domain then you can always request this via the ideas portal via https://purecloud.ideas.aha.io/ideas/. The more specific, the better. For example, if there is a PureEngage capability someone really likes, providing details around it would help.
And when they tested the Cobrowse functionalities, as agents we were able to modify the monitoring URL of the webpage the customer was shared with them. In consequence, in the customer side, the customer could be redirected to a non desirable webpage.
(Lucie) Still seems like a personnel issue. Why would agents be sending customers to malicious URLs? Yes it is possible, but why would agents do this? PureCloud itself cannot prevent agents from doing all malicious actions or actions that would harm reputation. These issues are solved with the use of our workforce and quality management capabilities where you can coach agents, evaluate agents, etc.
Yes, I am agree with your arguments.
I will redirect to our partner the possibility to express this idea in the PureCloud Ideas Lab with more details, and again the recommendation to get the maximum possible benefit of the workforce and quality management features on the PureCloud platform, to monitor and evaluate the agents behavior.