Improper Authentication
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-287: Improper Authentication |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
The Intercom Messenger is being initialized with user identifiers (like email or user_id) but without a user_hash for identity verification. This leaves user sessions unprotected and allows anyone to impersonate another user by guessing or providing their identifier.
Impact#
Without a user_hash, attackers can easily access other users’ Intercom conversations and sensitive information by supplying someone else’s email or user_id. This can lead to unauthorized access, privacy breaches, and compromise of user data within your application.