We implement the user_hash to verify identity, but how are other variables verified? For example, a user might add or alter the "name" property of the window.intercomSettings object, or the information in the company object, even adding itself to other companies?
Also, one might think to use Intercom REST API to securly add this information on user_id in a controlled manner, but then still the same question applies, how is adding/altering information via frontend prevented?
Best answer by Eric Fitz
View original