FreeScout Unauthenticated IDOR Vulnerability in Thread Tracking Endpoint Allows Cross-Conversation Manipulation

A vulnerability exists in FreeScout versions prior to 1.8.212, specifically in the thread tracking endpoint GET /thread/read/{conversation_id}/{thread_id}. This endpoint lacks authentication and fails to verify whether the thread_id corresponds to the specified conversation_id. As a result, an unauthenticated attacker can mark threads as read by using arbitrary IDs, enumerate valid thread IDs through HTTP response codes, and manipulate opened_at timestamps across different conversations, leading to an Insecure Direct Object Reference (IDOR) vulnerability.

Impact

The vulnerability allows unauthenticated users to exploit an IDOR issue by manipulating thread IDs and conversation IDs, disrupting the conversation isolation model and altering read/unread metrics used by support agents.

Reproduction

To reproduce this vulnerability, create two conversations and a thread in the second conversation. Then, without authentication, send a GET request to the thread tracking endpoint using the first conversation ID and the thread ID from the second conversation. This will successfully mark the thread as read and update the opened_at timestamp, demonstrating the IDOR vulnerability.

Remediation

Users are advised to update FreeScout to version 1.8.212 or later.