Omission of Security-relevant Information in chatwoot/chatwoot

Valid

Reported on

Nov 19th 2021

I'll explain it briefly: A contact is created with the email address "customer1@company.com" and we are writing about sensitive information. userIdentifer is required to be validated with hmac.

Now a human, on the other side of the world, comes into the chat and is asked by the bot for his email address during the chat. Without any legitimation, he simply enters "customer1@company.com" as his email and chats with our employee. For our employee it seems as if he is writing with the real "customer1".

If the real "customer1" now writes with our agent, the fake "customer1" can read all entries just because he entered the e-mail address. Maybe I have a thinking error? But I have just been able to test it that way in various scenarios in sandbox environments. I use an account in the Chatwoot hosted environment for testing.

We are processing your report and will contact the chatwoot team within 24 hours. 2 years ago

We have contacted a member of the chatwoot team and are waiting to hear back 2 years ago

Sojan Jose validated this vulnerability 2 years ago

noezdev has been awarded the disclosure bounty

The fix bounty is now up for grabs

Sojan Jose marked this as fixed in v1.22.1 with commit 791d90 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

noezdev

commented a year ago

Researcher

Never received a reward.

to join this conversation