Typebot Insecure Direct Object Reference Vulnerability in API Token Management

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Typebot versions 3.9.0 prior to 3.13.0. This vulnerability exists in the API token management endpoint, where an authenticated attacker can delete any user's API token and access its value. The exploitation requires only knowledge of the target user's ID and token ID, as the endpoint lacks proper authorization checks.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of API tokens and exposure of their plaintext values, leading to information disclosure.

Reproduction

To reproduce this vulnerability, authenticate as a user (User A) and obtain the target user's (User B) ID and API token ID. Then, send a DELETE request to the API token management endpoint using User A's session. The response will confirm the token deletion and include the plaintext token value, demonstrating the successful exploitation of the IDOR vulnerability.

Remediation

Users can upgrade to Typebot version 3.13.0 or later, where this vulnerability has been fixed.