I recently came across surging popularity of rb2b.com due to their claim of providing personal information (like name, email, Linkedin profile url, etc) of visitors to website owners.

How?

It caught my attention and so I decided to try it and also read through the SDK. I noticed this method:

B2BRetention.prototype.trigger_li = function () {
    window.liQ = window.liQ || [];
    window.liQ.push({config: {sync: false, identityResolutionConfig: {publisherId: 72731}}})
    let scriptTag = document.createElement('script');

    // LiveIntent SDK to fetch user hash
    scriptTag.src = 'https://b-code.liadm.com/lc2.js';
    scriptTag['onload'] = function () {_reb2b.fetch_li_id();}
    document.head.appendChild(scriptTag);
}

This seems to using LiveIntent JS SDK to get a hash that uniquely identifies the user. LiveIntent supposedly helps identify users via MD5 or SHA1 hashes. These can then be mapped back to the email address if you have table of hash -> email addresses or other unique identifiers.

Is this a vulnerability?

I think it is!

I think this method of user tracking by LiveIntent can be easily exploited by other actors by a simple dictionary attack. I think the rb2b team is sending these hashes back and then trying to compare these hashes to table of email hashes or other unique identifiers like linkedin ids.

So If anyone ever used LiveIntent, your email hashes could be the same across different companies and you could be easily tracked via a simple dictionary lookup.

Where do we go from here?

I'm not fully aware of how LiveIntent works, but it would be great if they can share some more insights about personal data security and potentially fix these issues. Else it could be used for malicious purposes (other than just trying to spam website visitors 😛)