Improper Input Validation in chatwoot/chatwoot

Valid

Reported on

Jan 13th 2022


Description

This vulnerability impacts all fields sent to Chatwoot. Any field that has an excessive amount of characters in it will cause the agent's page to take an abnormal amount of time to load, often requiring the content to be removed before the page will load. In my example, I put 2000000000 characters in the name of the user and it caused my page not to load. Other examples could be the email, content of the message, etc. Chatwoot does not check for the length of strings or cut them down to an appropriate length.

Proof of Concept

window.$chatwoot.setUser("IDENTIFIER", { name: "hi".repeat(99999999999), identifier_hash: "HASH" })

You may need to play with the string length a bit as sometimes it will cause your Chrome tab to crash.

OR

Copy the result of "hi".repeat(1000000000) and paste it in the chatbox, then send the message.

Impact

This vulnerability is capable of making the entire agent panel not load for an extended period of time and causing the logs to output a very large amount of text. Chatwoot becomes basically unusable for any agents using the widget inbox and the user. I had to use the Chatwoot API to delete the message because I could not physically access the page anymore. After testing this for a little while of putting these long strings in, it seems I crashed my entire Docker instance and now my instance is broken. Oops!

It appears that if you spam it a few times (the setUser method), then you can crash the entire Chatwoot instance and make it become unresponsive to requests until it finishes processing all of the text that was sent.

We are processing your report and will contact the chatwoot team within 24 hours. 4 months ago
popeeyy modified the report
4 months ago
We have contacted a member of the chatwoot team and are waiting to hear back 4 months ago
We have sent a follow up to the chatwoot team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the chatwoot team. We will try again in 10 days. 4 months ago
Tejaswini Chile
4 months ago

Maintainer


Message content can be more, we are not shortening it. Account Name, Contact Name, and User name can be checked and validated at the backend.

popeeyy
4 months ago

Researcher


I’m not exactly sure what you are trying to say, but all these fields need to be rejected or shortened or else they will cause the agent panel to become unresponsive and eventually cause the server to stop accepting any requests until it processes all the text. Restarting the server doesn’t even resolve the issue as chatwoot will pick right back up where it was and you have to wait hours for it to become responsive again and delete it via the API. I don’t believe there is a debate on whether or not you should shorten the text when failing to do so will shut the entire service offline.

Tejaswini Chile validated this vulnerability 4 months ago
popeeyy has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the chatwoot team. We will try again in 7 days. 4 months ago
We have sent a second fix follow up to the chatwoot team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the chatwoot team. This report is now considered stale. 3 months ago
Sojan Jose confirmed that a fix has been merged on 882110 3 months ago
The fix bounty has been dropped
popeeyy
3 months ago

Researcher


Custom attributes are still not validated and the server will still crash when receiving an extremely large custom attribute.

Sojan Jose
2 months ago

Maintainer


@popeeyy thanks for the report. apologies for missing this part in the earlier report. We are prioritising a fix for custom attributes as well.

Tejaswini Chile
2 months ago

Maintainer


I will be adding fox for this in the current release. With server-side validation over the length of custom attributes.

to join this conversation