How does the web JS API prevent altering information in the intercomSettings object?

Question

We implement the user_hash to verify identity, but how are other variables verified? For example, a user might add or alter the "name" property of the window.intercomSettings object, or the information in the company object, even adding itself to other companies? Also, one might think to use Intercom REST API to securly add this information on user_id in a controlled manner, but then still the same question applies, how is adding/altering information via frontend prevented?

Eric Fitz · Accepted Answer

Hey @onno​, I can see that you've also been chatting with Sean from our Support team about this, and that he's come back to you with further context. I'm copying his response here so that other Connectors can learn from it."First and foremost, the team wants to make it clear that although your points are considered to be legitimate product concerns, they are unrelated to SOC2/ISO/GDPR compliance. We do not share or expose any data, even if a malicious user were to override some of the details associated with their profile. The only concern is that the integrity of the data provided is not guaranteed, but any risk would depend on how customers leverage the product to suit their needs.With that in mind, if you do have specific concerns about the integrity of your data, the team pointed me to a specific implementation of Intercom (using Rails), which would allow you to integrate the Messenger throughEncrypted Mode. With this, you can encrypt your end-user attributes prior to including it in your webpage, preventing any malicious users from tampering with the intercomSettings. They also mentioned that this is a beta feature, so there's a possibility you may have to change your implementation in future. I've also attached a document with more details on getting started if you wish to implement this &#128077;."

Join the Intercom Community 🎉

Intercom Customers and Employees

Login to the community

Intercom Customers and Employees

Scanning file for viruses.

This file cannot be downloaded