Agent can get inbox credentials through api in chatwoot/chatwoot

Valid

Reported on

Nov 14th 2022


Description

user with agent privileges can get access to sensitive inbox details through api

Proof of Concept

  1. Create normal user with agent privileges
  2. get api key for this user
  3. use endpoint https://www.chatwoot.com/developers/api/#tag/Inboxes/operation/listAllInboxes
  4. if inbox is imap/smtp we see all credentials as plain text (I removed our credentials and paste ***)
{
    "payload": [
        {
            "id": 1,
            "avatar_url": "",
            "channel_id": 1,
            "name": "OUTPOUREZ",
            "channel_type": "Channel::Email",
            "greeting_enabled": false,
            "greeting_message": "",
            "working_hours_enabled": false,
            "enable_email_collect": true,
            "csat_survey_enabled": false,
            "enable_auto_assignment": false,
            "auto_assignment_config": {
                "max_assignment_limit": null
            },
            "out_of_office_message": null,
            "working_hours": [
                {
                    "day_of_week": 0,
                    "closed_all_day": true,
                    "open_hour": null,
                    "open_minutes": null,
                    "close_hour": null,
                    "close_minutes": null,
                    "open_all_day": false
                },
                {
                    "day_of_week": 1,
                    "closed_all_day": false,
                    "open_hour": 9,
                    "open_minutes": 0,
                    "close_hour": 17,
                    "close_minutes": 0,
                    "open_all_day": false
                },
                {
                    "day_of_week": 2,
                    "closed_all_day": false,
                    "open_hour": 9,
                    "open_minutes": 0,
                    "close_hour": 17,
                    "close_minutes": 0,
                    "open_all_day": false
                },
                {
                    "day_of_week": 3,
                    "closed_all_day": false,
                    "open_hour": 9,
                    "open_minutes": 0,
                    "close_hour": 17,
                    "close_minutes": 0,
                    "open_all_day": false
                },
                {
                    "day_of_week": 4,
                    "closed_all_day": false,
                    "open_hour": 9,
                    "open_minutes": 0,
                    "close_hour": 17,
                    "close_minutes": 0,
                    "open_all_day": false
                },
                {
                    "day_of_week": 5,
                    "closed_all_day": false,
                    "open_hour": 9,
                    "open_minutes": 0,
                    "close_hour": 17,
                    "close_minutes": 0,
                    "open_all_day": false
                },
                {
                    "day_of_week": 6,
                    "closed_all_day": true,
                    "open_hour": null,
                    "open_minutes": null,
                    "close_hour": null,
                    "close_minutes": null,
                    "open_all_day": false
                }
            ],
            "timezone": "UTC",
            "callback_webhook_url": null,
            "allow_messages_after_resolved": true,
            "widget_color": null,
            "website_url": null,
            "hmac_mandatory": null,
            "welcome_title": null,
            "welcome_tagline": null,
            "web_widget_script": null,
            "website_token": null,
            "selected_feature_flags": null,
            "reply_time": null,
            "messaging_service_sid": null,
            "phone_number": null,
            "forward_to_email": "23308d028c7d051a6109254efb480046@",
            "email": "***",
            "imap_login": "***",
            "imap_password": "***",
            "imap_address": "s124.cyber-folks.pl",
            "imap_port": 993,
            "imap_enabled": true,
            "imap_enable_ssl": true,
            "smtp_login": "***",
            "smtp_password": "***",
            "smtp_address": "s124.cyber-folks.pl",
            "smtp_port": 465,
            "smtp_enabled": true,
            "smtp_domain": "outpourez.pl",
            "smtp_enable_ssl_tls": true,
            "smtp_enable_starttls_auto": false,
            "smtp_openssl_verify_mode": "none",
            "smtp_authentication": "login"
        }
    ]
}

Impact

Agent can get inbox credentials through api

We are processing your report and will contact the chatwoot team within 24 hours. 2 months ago
We have contacted a member of the chatwoot team and are waiting to hear back 2 months ago
Sojan Jose validated this vulnerability 2 months ago

Thanks for the report. we will have it fixed in our upcoming release

Wojtek has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sojan Jose marked this as fixed in 2.12.1 with commit 3083f7 3 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Sojan Jose published this vulnerability 3 days ago
to join this conversation