Whenever you expose a communication method to the internet, it's important to understand the potential security implications and attack vectors. iService Chat is a web based interface that uses the same APIs and security methods as the agent interface and customer portals. The chat forms are built using iService Forms in the same was as all other iService interaces. This chapter explains how to secure your chat implementation and features that help protect your organization from malicious use.
Protecting against automated submission (reCAPTCHA)
An important security consideration is preventing automated submission of your chat forms. Scripts and bots that maliciously submit chat requests could disrupt your iService agents with large numbers of chat requests, making it difficult to support your real customers.
iService Chat includes built-in support for reCAPTCHA to prevent bots and malicious scripts from spamming your iService Agents. The reCAPTCHA process used in chat follows the same configuration as other iService forms. Google reCAPTCHA v2 is integrated into every chat form by default, but can be disabled in specific chat forms if needed.
Text Bombing
Text Bombing s a form of cyber attack that involves sending a large amount of text to overwhelm a system's resources, causing it to crash or become unresponsive. This can be done manually by an individual or automated using specialized software. Text bombing is often used as a means of disrupting online services or harassing individuals.
iService Chat prevents text bombing in two ways. First, customers cannot post any comments into a chat until an agent joins the conversation. This prevents users of the form from loading the chat interaction with an excessively large message body before an agent is participating and can end the chat.
Also, customers can only post 1200 characters at a time. The underlying API used in customer chat forms limits the input to 1200 characters. Front-end validation in the customer chat forms truncate content over the allowed limit.
File Attachments
Files attachments are a common attack vector for malicious code. The default iService chat forms do not allow file transfers. If you have a business need for file transfer, contact your iService account manager to discuss implementation options.
Malicious Content
Content entered into the chat by your customer is plain text for review by the agent. This prevents agents from accidentally clicking on malicious links, and the execution of JavaScript or other dangerous content.
The iService Chat Script
The iService customer chat form is an HTML page written in Vue.js. It is inserted into your website within an iFrame generated by the script created in the Chat Configuration settings page. The script creates the iFrame, which uses cookies to keep track of the status of the chat interaction. The contents of the script are below, but will include the chat ID from your configuration.
