Vulnerability in identification of visitor: Injecting data when identify chat visitor


Hi HubSpot!

I have read about identifying of visitors here:

What about security of this way of identification?
It's possible to inject any email in window. _hsq:

  1. Place breakpoint after setting window._hsq
  2. Type in devtools console: window._hsq=[...];

How HubSpot checks data received from page?


Welcome, @nas!

Apologies for the delayed response. The team strives to respond to topics in the order they are posted. Edits and subsequent posts reset the [Last] Activity timer, making older topics appear much newer. That's why we overlooked your question until now.

The identify function validates email formats according to these rules. As the document notes:

These processes do not check the email address to make sure is is a valid email address (like an embedded form would), but the format of the address will be validated.

So you could inject a "fake" email like since it is in the format of an email.