Origin Validation Error in chatwoot/chatwoot

Valid

Reported on

Oct 17th 2021

Description

chatwoot failed to validate the original email when a user changing his/her email address in Profile Setting,

An attacker may use the mechanism to forge arbitrary email（especially in trusted domain）

Proof of Concept

my original email is：b2_account@iubridge.com, and I had confirmed it by clicking the according URL

But when i change my email to another address, i.e.no_existing_account@iubridge.com, it doesNOT require confirmation!

Impact

This vulnerability is capable of

An attacker may use the mechanism to forge arbitrary email（especially in trusted domain）
forging to be the staff from your offical sites, such as FOO@chatwoot.com

We have contacted a member of the chatwoot team and are waiting to hear back 2 years ago

hi-unc1e

commented 2 years ago

Researcher

hello, is there anything I can do to speed up the confirmation?

Pranav Raj S

commented 2 years ago

@hi-uncle, Can you please share the steps you have done to update the email?

hi-unc1e

commented 2 years ago

Researcher

Original account:

https://app.chatwoot.com/app/accounts/36817/dashboard
aaaaaaaaaaa@iubridge.com, Note this Email has been confirmed

In https://app.chatwoot.com/app/accounts/36817/settings/agents/list, it shows that

Change email without validation

Firstly change it in the Account settings Then login with the NEW email！

It shows MY fake mail is Verified! An attacker could forge arbitrary email! such as TRUSTED fake_mail@chatwootmail.com in my example

hi-unc1e

commented 2 years ago

Researcher

https://app.chatwoot.com/app/accounts/36817/settings/agents/list

We have sent a second follow up to the chatwoot team. We will try again in 10 days. 2 years ago

hi-unc1e

commented 2 years ago

Researcher

any update? @pranavrajs

hi-unc1e

commented 2 years ago

Researcher

any update? @pranavrajs X2

We have sent a third and final follow up to the chatwoot team. This report is now considered stale. 2 years ago

Sojan Jose validated this vulnerability 2 years ago

hi-unc1e has been awarded the disclosure bounty

The fix bounty is now up for grabs

Sojan Jose marked this as fixed with commit 5ee209 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the chatwoot team and are waiting to hear back 2 years ago

hi-unc1e

commented 2 years ago

Researcher

hello, is there anything I can do to speed up the confirmation?

Pranav Raj S

commented 2 years ago

@hi-uncle, Can you please share the steps you have done to update the email?

hi-unc1e

commented 2 years ago

Researcher

Original account:

https://app.chatwoot.com/app/accounts/36817/dashboard
aaaaaaaaaaa@iubridge.com, Note this Email has been confirmed

In https://app.chatwoot.com/app/accounts/36817/settings/agents/list, it shows that

Change email without validation

Firstly change it in the Account settings Then login with the NEW email！

It shows MY fake mail is Verified! An attacker could forge arbitrary email! such as TRUSTED fake_mail@chatwootmail.com in my example

hi-unc1e

commented 2 years ago

Researcher

https://app.chatwoot.com/app/accounts/36817/settings/agents/list

We have sent a second follow up to the chatwoot team. We will try again in 10 days. 2 years ago

hi-unc1e

commented 2 years ago

Researcher

any update? @pranavrajs

hi-unc1e

commented 2 years ago

Researcher

any update? @pranavrajs X2

We have sent a third and final follow up to the chatwoot team. This report is now considered stale. 2 years ago

Sojan Jose validated this vulnerability 2 years ago

hi-unc1e has been awarded the disclosure bounty

The fix bounty is now up for grabs

Sojan Jose marked this as fixed with commit 5ee209 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation