Vulnerability in identification of visitor: Injecting data when identify chat visitor


#1

Hi HubSpot!

I have read about identifying of visitors here: https://developers.hubspot.com/docs/methods/tracking_code_api/identify_visitor

What about security of this way of identification?
It's possible to inject any email in window. _hsq:

  1. Place breakpoint after setting window._hsq
  2. Type in devtools console: window._hsq=[...];

How HubSpot checks data received from page?


#3

Welcome, @nas!

Apologies for the delayed response. The team strives to respond to topics in the order they are posted. Edits and subsequent posts reset the [Last] Activity timer, making older topics appear much newer. That's why we overlooked your question until now.

The identify function validates email formats according to these rules. As the document notes:

These processes do not check the email address to make sure is is a valid email address (like an embedded form would), but the format of the address will be validated.

So you could inject a "fake" email like phonyzapdos@zxczxcv.com since it is in the format of an email.