Intercom Token
Intercom tokens are credentials used to authenticate and interact with the Intercom API, a platform that facilitates customer communication and engagement. These tokens grant access to various Intercom services, such as messaging, user data retrieval, and customer support operations. Exposure of an Intercom token can lead to unauthorized access to sensitive customer information and manipulation of communication channels, posing significant security risks.
How Does It Look
Intercom tokens can appear in various contexts, such as:
-
Environment variables:
export INTERCOM_TOKEN="ic_1234567890abcdef" -
Configuration files (JSON, YAML, .env):
{
"intercom": {
"token": "ic_1234567890abcdef"
}
}intercom:
token: ic_1234567890abcdef -
Code snippets:
const intercomToken = "ic_1234567890abcdef"; -
Connection strings (if applicable): Not typically used in connection strings.
Severity
🟠 High
This severity level is due to the potential access to sensitive customer data and communication channels that an Intercom token provides. An attacker with this token can impersonate users, access private conversations, and potentially disrupt customer interactions, leading to significant business impact.
What Can an Attacker Do?
With immediate access to an Intercom token, an attacker can perform several malicious actions:
- Access customer data: Retrieve sensitive user information and conversation history (if the token has read permissions).
- Send unauthorized messages: Impersonate the company to send messages to customers (if messaging permissions are granted).
- Modify user profiles: Alter customer data, potentially leading to misinformation or data corruption (if write access is enabled).
- Access billing information: View or modify billing details (if the account has billing scope enabled).
An attacker could also use the token to escalate privileges or move laterally within the organization's systems, potentially compromising other services integrated with Intercom.
Real-World Impact
Exposure of an Intercom token poses significant business risks, including:
- Data Exposure: Unauthorized access to customer conversations and personal data (if the credential has read access to sensitive data).
- Financial Loss: Potential for fraudulent activities or unauthorized billing changes (if billing/resource creation is permitted).
- Operational Disruption: Interruption of customer communication channels, leading to service downtime (if the attacker has delete/modify permissions).
- Reputational Damage: Loss of customer trust due to unauthorized communications or data breaches.
In worst-case scenarios, the exposure could lead to cascading effects, such as further breaches of integrated systems or services, amplifying the damage.
Prerequisites for Exploitation
To exploit an exposed Intercom token, an attacker needs:
- Network access to the Intercom API endpoints
- Knowledge of the specific API endpoints and methods
- No IP restrictions or rate limits that could hinder unauthorized access
How to Verify If It's Active
To verify if an Intercom token is active, use the following command:
curl -X GET "https://api.intercom.io/users" -H "Authorization: Bearer [TOKEN]"
Valid credential response: A successful response will return user data in JSON format.
Invalid/expired credential response: An error message indicating unauthorized access or invalid token.
Detection Patterns
Common Variable Names:
- INTERCOM_TOKEN
- INTERCOM_API_KEY
- INTERCOM_SECRET
- INTERCOM_ACCESS_TOKEN
- INTERCOM_CLIENT_TOKEN
- INTERCOM_AUTH_TOKEN
File Locations:
.envconfig.jsonsettings.yamlintercom_config.jscredentials.py
Regex Pattern:
(ic_[a-zA-Z0-9]{16,32})
Remediation Steps
- Revoke immediately - Go to Intercom > Settings > API Keys and delete the compromised token.
- Audit access logs - Review Intercom audit logs for unauthorized access or actions during the exposure window.
- Assess blast radius - Identify all systems, applications, and environments that used the exposed token.
- Rotate credential - Generate a new token in Intercom with least-privilege permissions.
- Update dependent systems - Deploy the new token to all applications and update CI/CD pipelines securely.
- Harden access controls - Enable IP allowlisting in Intercom and require secure connections.
- Implement secrets management - Migrate tokens to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
- Add detection controls - Set up pre-commit hooks and repository scanning to catch token leaks before they reach production.
Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.