During embedded co-browsing, the Collaboration Server transmits the Document Object Model (DOM) of the page the visitor is on to the agent. This is what allows the agent to see what the visitor sees.
In a DOM injection attack, an attacker pretending to be a visitor attempts to inject malicious code into the DOM so that it’s executed on the agent’s computer. The agent’s computer is located in your organization’s network, and the attacker hopes to gain access to internal systems or the agent’s username and password, for example by displaying a login window on the agent’s computer.
DOM injection is possible in one of two ways: by injecting malicious code directly into the page viewed in the co-browsing session, or by injecting a link on the page that points to malicious code hosted on another server.
JavaScript attack
In a JavaScript attack, the attacker injects malicious code directly into the Document Object Model (DOM) of the page they’re co-browsing with an agent.
The Collaboration Server prevents such attacks by removing all executable code before it transmits the DOM of a co-browsed page to the agent’s browser. It removes the following elements:
-
Scripts such as JavaScript.
-
HTML event handlers that may contain executable code, for example onkeydown, onchange, or onload.
-
HTML <a> elements with the javascript: pseudo protocol, for example <a href="javascript:void(0);". The Collaboration Server removes the content of such links.
-
CSS elements that may contain scripts.
-
CSS that isn’t recognized as valid and safe.
-
The HTML elements <object>, <embed>, and <applet>.
If you don’t want the Collaboration Server to remove elements, change the value of the configuration property com.unblu.server.security.tagfilter to false.
You can also specify that the Collaboration Server skip certain DOM elements. For more information, refer to the section Skipping DOM elements.
Code is still executed in the visitor’s browser and the processed results are forwarded to the agent, so the website still works as expected.
Link attack
In a link attack, the malicious code the attacker wants to transfer to the agent isn’t injected into the co-browsed page directly. Instead, it’s in a file hosted on a web server controlled by the attacker, and what’s injected into the DOM of the co-browsed page is a link to the file.
If the file is an executable, the agent must confirm that they wish to download the file and must then execute it themselves. If the malicious code is in a file format which supports rich media content, such as PDF or DOC, the agent must still download and open the file, but may be unaware that it contains executable code.
In a setup using the SecureFlow Manager (optionally with whitelisted internal resources), the Collaboration Server only displays content from the trusted sources you’ve configured. If a resource isn’t available from a trusted source, the Collaboration Server doesn’t display it. The attacker’s link, then, simply results in a failed request.
| | If your organization lets visitors upload files, especially data URLs or canvas images, to a trusted source such as your web server, an attacker might be able to place a malicious file there, and the Collaboration Server would send the file to the agent’s browser. You must therefore take measures to prevent the Collaboration Server and your agents from accessing files uploaded by visitors, to prevent visitors from uploading such files, or to ensure that such files contain no malicious code. |
FAQs
For example, you can help clients fill out an insurance claim, or review it together after it has been filed. And if you add co-browsing to video banking, you can assist customers with their online mortgage application, for example. Give two-way interactive sales demos, more engaging for your prospects.
Is co-browsing safe? ›
Co-browsing is a safe technology precisely because of how it differs from traditional screen sharing. The main practical difference between co-browsing and screen sharing is that, with co-browsing, your agents only have access to your own website's page on the user's computer.
What is co-web browsing? ›
Co-browsing is collaborative, where both parties can browse together on a website and interact with the page in real time. It allows agents to see what the customer is seeing without being able to see other things on their device. It can also mask certain fields containing sensitive information.
What is the difference between co-browsing and screen sharing? ›
Co-browsing is primarily designed to allow a group of users to engage in synchronized activities, with one user at a time taking the lead. Screen sharing enables multiple users to simultaneously work on different tasks within the same page or application.
Can other websites see my browsing history? ›
Websites tracking browser history
However, a website can also track a user's browsing history across other websites by using third-party cookies, as long as each site loads the cookie from the same domain.
What is a co-browsing code? ›
Co-browse code - This feature allows the agents and customers to start a cobrowsing session during a phone conversation. Mobile SDK - This feature lets agents provide support to your mobile app users, so they won't have to switch to a mobile browser.
Can someone watch my browser? ›
Internet providers can see everything you do on the internet. The only way to defend against this is by encrypting your data. Solutions like VPNs, HTTPS proxies, and the Tor browser can help you protect your data.
Can someone know what you are browsing? ›
If you've wondered “Can anyone see my search history?”, the answer is yes. The search engine itself, your web browser, your internet service provider (ISP), some advertisers, website owners, app owners, and, in some cases, authorities can see what you search for on Google.
Is my web browsing being tracked? ›
Simply put, companies track your data for personalization objectives. Third-Party Cookies are placed on sites by ad networks and get stored in your web browser with the intent of collecting data on you for marketing purposes. They record your every move as you cross the internet.
Can someone track my web browsing? ›
ISPs are still able to track your browsing history and see which websites you visit. The websites you visit can also still track activity with cookies and IP tracking. Network administrators who have access to your device can monitor your web browsing.
Second-level domain names
| [a.co] | Amazon |
|---|
| [o.co] | Overstock.com |
| [s.co] | Snapchat |
| [t.co] | X (formerly Twitter) |
| [y.co] | Y.CO - The Yacht Company |
3 more rowsCoBrowsing provides valuable visual context and allows companies to “show” not just “tell" - leading to decreased average handle time and more satisfied customers. Leveraging CoBrowsing's “Observation” mode, companies can see customer issues before the customer engagement even begins.
Can someone see my browsing history from another computer? ›
Interested parties can see your browser history on their phones and other devices, such as computers. Interested parties include your guardians/parents, employer, and partner/spouse. Other prying eyes on the internet, such as your ISP, the government, and hackers, can also see what you are doing online.
Can a website tell if you are screen sharing? ›
If you are wondering whether a website can detect screen recording, the answer is no. However, it is possible for certain apps to pick up on it. For example, the Netflix desktop/iOS app can detect screen sharing. Screen recording is used to protect copyrighted content from being used without permission.
How do I stop screen sharing on other devices? ›
On your Android device, go to the “Settings” app. Tap the “Connected Devices” option, then select “Cast Screen”. Tap the “Stop” button to turn off screen mirroring on your Android device.
What is browsing with example? ›
to look through a book or magazine without reading everything, or to walk around a shop looking at several things without intending to buy any of them: I was browsing through fashion magazines to find a new hairstyle. "Are you looking for anything in particular, sir?" "No, I'm just browsing."
Which of the following is an example of a browser? ›
Common web browsers include Microsoft Edge, Internet Explorer, Google Chrome, Mozilla Firefox, and Apple Safari. Google Chrome is the most popular web browser in the world.
What are the two examples of browsers mentioned? ›
The five most popular browsers which help in surfing the Internet are Mozilla Firefox, Microsoft Edge, Google Chrome, Opera, and Apple Safari.
How does cobrowse work? ›
A Co-browse session lets an agent and a customer navigate the same web page at the same time. Unlike conventional screen-sharing applications where one party sees an image of the other party's browser, in a Genesys Co-browse session both the agent and the customer share the same instance of the web page.
