Calling IntercomRails::ShutdownHelper.prepare_intercom_shutdown(session) on logout should close/expire the Intercom session
Actual behavior
Two issues with this:
According to the documentation this should be sufficient, but this method simply sets a session variable, in order to delete the cookie you also need to call the intercom_shutdown method.
According to a recent penetration test of ours, this creates a security vulnerability. This is because calling intercom_shutdown simply deletes the cookie from the current session, but the session is still active on Intercom's end. According to intercom's documentation, the proper way to end a session is by calling their javascript libraries Intercom('shutdown')
Steps to reproduce
Copy a network request to intercom when sending a message
Logout, triggering the gem's intended shutdown code
Resend a similar request. You can continue to send messages to Intercom
Version info
Expected behavior
Calling
IntercomRails::ShutdownHelper.prepare_intercom_shutdown(session)on logout should close/expire the Intercom sessionActual behavior
Two issues with this:
intercom_shutdownmethod.intercom_shutdownsimply deletes the cookie from the current session, but the session is still active on Intercom's end. According to intercom's documentation, the proper way to end a session is by calling their javascript librariesIntercom('shutdown')Steps to reproduce
Logs