Omission of Security-relevant Information in chatwoot/chatwoot

Valid

Reported on

Nov 19th 2021


I'll explain it briefly: A contact is created with the email address "customer1@company.com" and we are writing about sensitive information. userIdentifer is required to be validated with hmac.

Now a human, on the other side of the world, comes into the chat and is asked by the bot for his email address during the chat. Without any legitimation, he simply enters "customer1@company.com" as his email and chats with our employee. For our employee it seems as if he is writing with the real "customer1".

If the real "customer1" now writes with our agent, the fake "customer1" can read all entries just because he entered the e-mail address. Maybe I have a thinking error? But I have just been able to test it that way in various scenarios in sandbox environments. I use an account in the Chatwoot hosted environment for testing.

We are processing your report and will contact the chatwoot team within 24 hours. 15 days ago
We have contacted a member of the chatwoot team and are waiting to hear back 14 days ago
We have contacted a member of the chatwoot team and are waiting to hear back 14 days ago
We have contacted a member of the chatwoot team and are waiting to hear back 14 days ago
We have contacted a member of the chatwoot team and are waiting to hear back 14 days ago
We have contacted a member of the chatwoot team and are waiting to hear back 14 days ago
We have contacted a member of the chatwoot team and are waiting to hear back 14 days ago
We have contacted a member of the chatwoot team and are waiting to hear back 14 days ago
Sojan Jose validated this vulnerability 11 days ago
noezdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sojan Jose confirmed that a fix has been merged on 791d90 11 days ago
The fix bounty has been dropped