Expand Fin to email is now live on Fin Academy!
Messenger Security Q&A
Recently active
I am using intercom iOS sdk using pod install and every time I launch intercom screen I got this Tried to update user but there was a network error (401) - Failed Identity Verification check error. Earlier it was working now it is not working. Same user email using in intercom of another iOS application then it is working.
We are starting to sell to a number of customers in the FedRAMP space. Intercom is not currently in the FedRAMP marketplace. Any chance that this will change soon? I really don’t want to switch to a compliant platform, but I know that a direct competitor has a gov cloud version that we could use.
GET https://js.intercomcdn.com/vendor-modern.1ffdfa4a.js net::ERR_SSL_PROTOCOL_ERROR GET https://js.intercomcdn.com/frame-modern.f3182eef.js net::ERR_SSL_PROTOCOL_ERRORPlease let us know if you need more details
Hello! I am using the Intercom mobile SDK integration for a mobile application. As per the instructions on the dashboard I am enabling identity verification to secure the users messenger chats. I am having a persistent issue where on iOS only, the user verification fails only for certain users. The call to register an identified user will fail with this error response:Error: Error logging in: ERROR - [HTTP 401] - Failed Identity Verification check I have replicated this for a user and verified the following:The user hash value we are passing into setUserHash is correct as verified by the hash checker in the installation instructionsThe user ID we user to generate the user hash is correctThe users email is correct I am using the latest version of the mobile SDK on iOS Are there any other steps I can follow to troubleshoot this issue? Any help would be much appreciated!
We need to add a Content Security Policy to our application that adheres to the following requirements:include a 'default-src' directive to act as a fallback for other resource types when their policy definitions are absent set explicit CSP 'script-src' and 'style-src' directives, without the use of wildcard domains not utilize any 'unsafe'- prefixed directives.Reading through this article in Intercom Help, i think point#2 above can be addressed (but please confirm), and also advise if points #1 and #3 can work with Intercom (e.g. can we avoid using the 'unsafe-inline'?)
We would need to add Content Security Policy to our application. I saw this article on Intercom Help. There it is stated to use 'unsafe-inline' but I am wondering is there a way not to use it, since we would like avoid that in our policy?
Noticed that the intercom cookies don’t have the Secure and HttpOnly attributes set. Is it possible to do so?Could this be a security issue for our website without t?
I set up identity verification for web about a year ago and it has been working fine until recently when I noticed that for new users the initial ping request fails with the following error:{ "type": "error.list", "request_id": "00008k...", "errors": [ { "code": "invalid_document", "message": "either_email_or_user_id_present validation failed" } ]}My application sends email address only and generates a user_hash HMAC against the email only. I have verified that the new users are sending the correct email and user_hash HMAC using the hash checker tool in the admin web console. What’s odd is that older users pass validation and the ping request succeeds while newer users fail (same code path). I’ve compared the request/response for successful and failing users and I don’t see any difference. I’ve also tried a variety of new email addresses in case there is some email validation I’m unaware of but all new user emails consistently fail. Has anyone else experienced this?
Is there a way to expire a HMAC hash for identity verification? How long does the hash last if the secrets are not rotated? Rotating a secret requires downtime so it is not ideal. If a HMAC signature is leaked, it can be use by anyone to impersonate a user. Unless I am misunderstanding..
Hi,We have been using Intercom for quite some while and with ID verification turned on, the intercom functionality wont work for users without an account. If the user has an account and logs in it works like a charm (user_hash is set for both IOS and ANDROID and that works without a flaw). When logout again and pressing the chat bubble, the intercom messenger does pop up but said something’s gone wrong and returns this error:[Intercom] ERROR - Tried to fetch composer suggestions but there was a network error (401) - Failed Identity Verification check This also happens when the app starts up and you are not logged in and have not recently logged out.Which is strange as the function used is Intercom.loginUnidentiefiedUser() (if this function is not relevant for ID verification than what is the alternative?)When ID verification is turned off again all functionalities work perfect (both for logged in and unregistered users) "react": "17.0.2","react-native": "0.68.5","@intercom/intercom-rea
showing this things in test , development sideIntercom Messenger warning: Identity Verification is set up correctly but not enabled. For details on how to enable it, see https://docs.intercom.com/configure-intercom-for-your-product-or-site/staying-secure/enable-identity-verification-on-your-web-product.this getting in my webiste browser consolewhen i check installation it getting this error We haven’t received verified data from your installation. Please check the instructions and try again
We are looking at adding identity verification to stop user spoofing on our mobile app and private sites. However we also use intercom on our public pages that have no userid or email as there is no logins. How do we handle this to allow conversations to be opened once Identity Verification is on, but there is no user/email to create a hash for?
Hello there,I want to enable identity verification for a web application my questions are:1-After generating a hash on a server-side, is there a secure way you suggest to send that hash to a client-side? Also, Is it fine JavaScript access to the hash in the client-side?2- How would I test identity verification in DEV environment before implement it in PROD?Thank you!!
We have recently updated to 4.0.1Based on the docs, it appears we are using the correct flow of calls when we wither get a new sign-up or a log-inawait Intercom.setUserHash(userHash)await Intercom.loginUserWithUserAttributes({ email, userId })await Intercom.updateUser({...}) With the above, we get [HTTP 401] - Failed Identity Verification check, after the sign-up call. Interestingly it only occurs for a new user sign up. Login works fine. I have tried adding in await Intercom.loginUnidentifiedUser() before I call loginUserWithUserAttributes but oddly I then get the verification error on the updateUser call. Is this a bug or am I missing something from the docs?
I'm using the Cordova SDK to natively integrate Intercom messenger into my iOS & Android mobile apps. I'm having issues with Identity Verification for iOS Users, always throws an error. My app is using Ionic Framework with ReactJS. So far I've only noticed this error on iOS, with many Users. Please see the screenshot. It's in Ukrainian, but it basically said, ops, something went wrong, we couldn't load any content, please refresh. Refreshing doesn't help. :) This bug was seen on iPhone X / Xs / 12 / 13, and iOS 15.6 - 16.1.1. So likely this isn't related to a specific OS or device. Any help on this issue will be greatly appreciated! Thank you!
is there a way to rotate "Identity verification secret"? I was looking through the docs but haven't found anything.
Why do I have to enable the Identity Verification, how does it work, does it affect users and leads and how to set that up?
Hi, we are launching our new Saas solution in the coming days... One of it's features is Workspaces. As a user, you can create different workspaces, just like in Slack, where you could have one workspace related to company A and another workspace for all things related company B. Now, since our Saas app is security related, for security reasons, each time that one of our customers creates a new workspace it automatically creates a new subdomain for them with the name of their workspace. And they will only be able to access the app (and their workspace) with that subdomain!! So, to give you an example, if you would become our customer and you would create a new workspace called "companyA", we will automatically create a new subdomain for your workspace called:https://companya.ournewsaas.com. (where ournewsaas is the name of our upcoming SaaS, and companyA is the name you gave to your new workspace.)Now comes the question: If - like i explained above - we are going to cr
Messenger TipsProbably obvious and a well known approach but we rely on the Messenger message types to drive engagement for diff types of messages; Chat: when we want to get customers to engage to pick up a convo and drive adoption - now partnered with reso-bots and FAQ answers. Posts: when we generally do not want responses but want to drive action or share info Badge; Low priority (not time sensitive) and impact (no action or impact to services) engagement that is shared as an FYI - the benefit of these is they can queue up and increase count and can be opened later. This allows for ongoing and continuous engagement without impacting customer journey Snippet; Low/Medium priority, and impact where action is required - where part of the message is visible with indicators of what to do so attention is grabbed. Often paired with event or page targeting Show Full; When there is high priority and impact, immediate action or attention required - often partnered with large format to take ov
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.