Agent can get inbox credentials through api in chatwoot/chatwoot
Valid
Reported on
Nov 14th 2022
Description
user with agent privileges can get access to sensitive inbox details through api
Proof of Concept
- Create normal user with agent privileges
- get api key for this user
- use endpoint https://www.chatwoot.com/developers/api/#tag/Inboxes/operation/listAllInboxes
- if inbox is imap/smtp we see all credentials as plain text (I removed our credentials and paste ***)
{
"payload": [
{
"id": 1,
"avatar_url": "",
"channel_id": 1,
"name": "OUTPOUREZ",
"channel_type": "Channel::Email",
"greeting_enabled": false,
"greeting_message": "",
"working_hours_enabled": false,
"enable_email_collect": true,
"csat_survey_enabled": false,
"enable_auto_assignment": false,
"auto_assignment_config": {
"max_assignment_limit": null
},
"out_of_office_message": null,
"working_hours": [
{
"day_of_week": 0,
"closed_all_day": true,
"open_hour": null,
"open_minutes": null,
"close_hour": null,
"close_minutes": null,
"open_all_day": false
},
{
"day_of_week": 1,
"closed_all_day": false,
"open_hour": 9,
"open_minutes": 0,
"close_hour": 17,
"close_minutes": 0,
"open_all_day": false
},
{
"day_of_week": 2,
"closed_all_day": false,
"open_hour": 9,
"open_minutes": 0,
"close_hour": 17,
"close_minutes": 0,
"open_all_day": false
},
{
"day_of_week": 3,
"closed_all_day": false,
"open_hour": 9,
"open_minutes": 0,
"close_hour": 17,
"close_minutes": 0,
"open_all_day": false
},
{
"day_of_week": 4,
"closed_all_day": false,
"open_hour": 9,
"open_minutes": 0,
"close_hour": 17,
"close_minutes": 0,
"open_all_day": false
},
{
"day_of_week": 5,
"closed_all_day": false,
"open_hour": 9,
"open_minutes": 0,
"close_hour": 17,
"close_minutes": 0,
"open_all_day": false
},
{
"day_of_week": 6,
"closed_all_day": true,
"open_hour": null,
"open_minutes": null,
"close_hour": null,
"close_minutes": null,
"open_all_day": false
}
],
"timezone": "UTC",
"callback_webhook_url": null,
"allow_messages_after_resolved": true,
"widget_color": null,
"website_url": null,
"hmac_mandatory": null,
"welcome_title": null,
"welcome_tagline": null,
"web_widget_script": null,
"website_token": null,
"selected_feature_flags": null,
"reply_time": null,
"messaging_service_sid": null,
"phone_number": null,
"forward_to_email": "23308d028c7d051a6109254efb480046@",
"email": "***",
"imap_login": "***",
"imap_password": "***",
"imap_address": "s124.cyber-folks.pl",
"imap_port": 993,
"imap_enabled": true,
"imap_enable_ssl": true,
"smtp_login": "***",
"smtp_password": "***",
"smtp_address": "s124.cyber-folks.pl",
"smtp_port": 465,
"smtp_enabled": true,
"smtp_domain": "outpourez.pl",
"smtp_enable_ssl_tls": true,
"smtp_enable_starttls_auto": false,
"smtp_openssl_verify_mode": "none",
"smtp_authentication": "login"
}
]
}
Impact
Agent can get inbox credentials through api
We are processing your report and will contact the
chatwoot
team within 24 hours.
2 months ago
We have contacted a member of the
chatwoot
team and are waiting to hear back
2 months ago
Thanks for the report. we will have it fixed in our upcoming release
Wojtek
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation