spark_image

Securing Cisco Spark Bots

I have been creating several Spark Bots here at Epoch and have found them to be a very useful tool to add interactive functionality to Spark chat rooms. Bots can be used from everything from tech support to ordering a pizza – but in our case we wanted to integrate Spark into our CRM site to be able to do things like query the status of a ticket.

One thing I figured out after creating my bot is that, by default, anyone can add it into their own chat room as long as they know the bot’s name/e-mail address. This might be fine for a bot that does something simple or fun such as looking up new articles, but for bots like ours that integrate with an API or may have access to sensitive information this would be a problem.

After looking into the issue and asking around on the Spark Dev channel it seems like this is a known issue, but developers are expected to implement these security checks on their own. There wasn’t anything in the documentation as far as recommended approaches, so I thought I would write up a simple fix that worked for us in the hopes that it may be useful for others out there going through the same thing.

For this example I’m going to show you how to lock down messages sent to a chat bot if you are using gupshup.io, but the same concept would apply if writing and hosting your own bot. Gupshup is a great way to get started writing bots and I’ll probably be writing up a blog post soon with a tutorial. It uses JavaScript so the code examples here are also JS, but you can use any number of languages to integrate with Spark. The security control I decided on was to check the domain name of the user making a request and ensure that it matches @epochuniversal.com. This doesn’t stop someone from adding the bot to their room, but does lock down any requests to it.

Gupshup uses the method below to watch for messages incoming requests from users in any channel that the bot is a part of. I’ve included an example request match to show what the method looks like before adding the security check:

Now here’s the same code, but with a user domain check before going through the event.message matching logic:

This simply adds an if/else check to match the domain name using the event.senderobj.channelid command within Gupshup (which returns the user’s e-mail address). There are several other userID checks in the Gupshup documentation, but this was the only one that returned the e-mail address.

I hope this helps you to keep your Spark bots secure without requiring a lot of extra work. I’m sure there’s a better way to do this but it worked for me. If you know of any other methods, or have your own experience with security Spark bots please leave a comment below.

Happy hacking!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *