Improper Privilege Management in chatwoot/chatwoot

Valid

Reported on

Apr 30th 2021


✍️ Description

Privilege escalation to view all conversation

🕵️‍♂️ Proof of Concept

  1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent .
  2. now goto https://app.chatwoot.com/app/accounts/4534/settings/inboxes/list and add a inbox .In this inbox dont add user B as collaborator. Only allow admin himself . So, user B should not see this inbox conversation .
  3. Finally goto user B account and see he has no inbox conversation to his account . Now user B open this url https://app.chatwoot.com/app/accounts/4534/conversations/3 and see all conversation . here in this url change conversation id and see all conversation. If user B want to see conversation 1 then visit url like https://app.chatwoot.com/app/accounts/4534/conversations/1 and see all message in this conversation .

#VIDEO POC-->

https://drive.google.com/file/d/1bw13cXMdsLydBI9yY1B1YgC61x-Dm8hd/view?usp=sharing

💥 Impact

Privilege escalation to view all conversations

Sojan Jose
a year ago

Maintainer


Thanks for reporting. I have added a pull request addressing the changes https://github.com/chatwoot/chatwoot/pull/2224

Sojan Jose
a year ago

Maintainer


fixed in https://github.com/chatwoot/chatwoot/commit/534acfbf96778610b82146cb653b78fdc2a22d5b

Sojan Jose confirmed that a fix has been merged on 534acf a year ago
The fix bounty has been dropped
to join this conversation