Improper Privilege Management in chatwoot/chatwoot
Apr 30th 2021
Privilege escalation to view all conversation
🕵️♂️ Proof of Concept
- First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent .
- now goto https://app.chatwoot.com/app/accounts/4534/settings/inboxes/list and add a inbox .In this inbox dont add user B as collaborator. Only allow admin himself . So, user B should not see this inbox conversation .
- Finally goto user B account and see he has no inbox conversation to his account . Now user B open this url https://app.chatwoot.com/app/accounts/4534/conversations/3 and see all conversation . here in this url change conversation id and see all conversation. If user B want to see conversation 1 then visit url like https://app.chatwoot.com/app/accounts/4534/conversations/1 and see all message in this conversation .
Privilege escalation to view all conversations