Origin Validation Error in chatwoot/chatwoot

Valid

Reported on

Oct 17th 2021


Description

chatwoot failed to validate the original email when a user changing his/her email address in Profile Setting,

An attacker may use the mechanism to forge arbitrary email(especially in trusted domain)

Proof of Concept

my original email is:b2_account@iubridge.com, and I had confirmed it by clicking the according URL image

But when i change my email to another address, i.e.no_existing_account@iubridge.com, it doesNOT require confirmation!

image

Impact

This vulnerability is capable of

  • An attacker may use the mechanism to forge arbitrary email(especially in trusted domain)
  • forging to be the staff from your offical sites, such as FOO@chatwoot.com
We have contacted a member of the chatwoot team and are waiting to hear back 3 months ago
hi-unc1e
3 months ago

Researcher


hello, is there anything I can do to speed up the confirmation?

Pranav Raj S
3 months ago

Maintainer


@hi-uncle, Can you please share the steps you have done to update the email?

hi-unc1e
3 months ago

Researcher


Original account:

  • https://app.chatwoot.com/app/accounts/36817/dashboard
  • aaaaaaaaaaa@iubridge.com, Note this Email has been confirmed image

In https://app.chatwoot.com/app/accounts/36817/settings/agents/list, it shows that image

Change email without validation

Firstly change it in the Account settings image Then login with the NEW email! image

It shows MY fake mail is Verified! An attacker could forge arbitrary email! such as TRUSTED fake_mail@chatwootmail.com in my example

hi-unc1e
3 months ago

Researcher


https://app.chatwoot.com/app/accounts/36817/settings/agents/list image

We have sent a second follow up to the chatwoot team. We will try again in 10 days. 3 months ago
hi-unc1e
2 months ago

Researcher


any update? @pranavrajs

hi-unc1e
2 months ago

Researcher


any update? @pranavrajs X2

We have sent a third and final follow up to the chatwoot team. This report is stale. 2 months ago
Sojan Jose validated this vulnerability 2 months ago
hi-unc1e has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sojan Jose confirmed that a fix has been merged on 5ee209 a month ago
The fix bounty has been dropped