Chatwoot Origin Validation Vulnerability in Widget Component

A vulnerability exists in Chatwoot versions through 4.7.0, specifically within the widget component's IFrameHelper.js file. The issue arises in the initPostMessageCommunication function, where the baseUrl argument is not properly validated. This origin validation error allows for remote exploitation, enabling attackers to hijack the cw_conversation token. This token theft could lead to unauthorized access to a victim's conversation history, potentially exposing sensitive information.

Impact

Exploitation of this vulnerability allows for the hijacking of the cw_conversation token, which does not expire, leading to persistent unauthorized access to sensitive conversation data. Additionally, the vulnerability allows for cross-origin abuse due to the missing origin validation in postMessage handling.

Reproduction

The vulnerability can be reproduced by sending a forged postMessage from a malicious site to the Chatwoot widget. The message should include the event 'popoutChatWindow' and a crafted baseUrl that exploits the origin validation flaw. Once the message is received, the widget will open a popup that includes the cw_conversation token in the URL, allowing interception of the token.

Remediation

To address this vulnerability, Chatwoot developers should implement origin validation for postMessage events, ensuring that only messages from trusted domains are processed. Additionally, sensitive tokens like cw_conversation should not be exposed in popup URLs.