Click4Assistance Live Chat WordPress Plugin is Completely Secure

A warning about a critical vulnerability, identified as CVE-2019-12498, has been shared from security researchers regarding the WordPress live chat website plugin. The flaw was discovered by cybersecurity researchers at Alert Logic. It exists due to an improper validation check for authentications that could allow unauthorised access to the restricted REST API endpoints.

If the vulnerability is abused, unauthorised remote users can gain access to steal all chat logs, modify or delete the chat history, manipulate live chat sessions by injecting messages and imposing as the customer support agent and forcefully end an active session as part of a denial of service (DoS) attack.

Not To Be Confused

Click4Assistance have our own live chat website plugin for the WordPress platform. It is our own software that allows users with a WordPress website to easily implement the communication channel.

There is no association what so ever between our solution’s plugin and the ‘WP Live Chat Support’ Plugin. Think Hoover, Dyson, Shark as a comparison, they are the same type of product but they are separate companies.

Data Security

Security is one of our main priorities when redesigning the solution from the ground up and when making enhancements. Our developers are up to date with security trends and best practices to ensure the software remains resilient and secure.

Security protocols are embedded into all operations from product development, infrastructure and the physical environment. Security aware software development with agile methodologies occurs under strict change control processes which require rigorous testing regimes and multiple sign off to OWASP standards before release.

We have many procedures in place when it comes to data security. Some are more account level specific such as:

• Login policies with forced password strength and expiry,
• Password  lockout,
• IP/Time lockdown,
• AD integration,
• Full audit reporting.

Whereas others are at transmitting and storing level:

• Data only ever resides within the UK,
• Encrypted in transit using TLS 256bit SHA2 algorithms,
• Passwords and any personally identifiable data include chat transcripts are encrypted at rest using the latest AES256 (Advanced Encryption Standard),
• No script can be injected during a chat. This ensures that the JavaScript cannot be manipulated and unauthorised changes can be made to the system.

Hosting

We use Equinix to host our servers. They are a global leader in co-location and connectivity. Their accreditations include ISO9001, ISO27001, and ISO14001 amongst many others.  Access to the data centre and our servers is heavily restricted with only key members of staff allowed entry. Even then they are rigorously checked with ID, retina scans and controlled entry points etc. 

New servers were recently introduced following a lot of research into the best type for our requirements. They were built from scratch and include a large number of encrypted back up hard drives. This ensures connectivity should the hardware experience an issue.

They are situated in a more powerful dedicated rack than previous to ensure that the system uptime maintains our minimum of at least 99%. We have never had a data security breach.

Takeaway

Sometimes the free or built in options might be great for convenience; however there are risks with security and lack of functionality/usability. When looking for a live chat website plugin provider, ensure you research into their data/cyber security information and find a supplier that can meet your requirements.

Click4Assistance has been providing website live chat for over 15 years. Our clientele includes police forces, NHS organisations and local government etc. therefore we have a legal obligation to ensure our security is of the highest possible standards. For more information about our WordPress plugin, security or our services contact our team on 01268 524628 or email theteam@click4assistance.co.uk.