TypeBot Cross-Typebot Result Data Access Vulnerability

A vulnerability in TypeBot versions through 3.15.2 allows authenticated users to access result data from different typebots. The issue arises because the bot engine's findResult query does not filter results by typebotId. Exploitation requires the rememberUser feature to be enabled and matching variable names in the current typebot. If successful, an attacker could retrieve previous user answers, session variable values, and the hasStarted flag, potentially exposing personally identifiable information such as names, emails, and phone numbers.

Impact

Exploitation of this vulnerability could lead to unauthorized access to another user's session data, including personal information and session variables.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the startChat endpoint with a resultId from a different typebot. The target typebot must have the rememberUser feature enabled, and the resultId must be valid. If these conditions are met, the response will include pre-filled variables from the foreign result, effectively demonstrating the unauthorized data access.

Remediation

Users can update to TypeBot version 3.16.0 or later, where this vulnerability has been fixed.