Chatwoot Pre-Account Takeover Vulnerability via OAuth on Unconfirmed Accounts

A Pre-Account Takeover vulnerability has been identified in Chatwoot's authentication process, affecting versions 2.14.0 prior to 4.13.0. The issue arises because email confirmation was not required before an account could be used. This allowed an attacker to register an email address they did not own, set a password, and wait for the legitimate owner to sign in using Google OAuth or another OmniAuth provider. The OAuth process would silently confirm the account without invalidating the attacker's password, enabling access to sensitive data on the dashboard, such as personal information and API keys.

Impact

Exploitation of this vulnerability allowed attackers to gain unauthorized access to accounts, using pre-set passwords to log in and access sensitive information, including personal data and API keys.

Reproduction

To reproduce this vulnerability, an attacker must first register an account using an email address they do not own, setting a password during the process. Afterward, the legitimate email owner must sign in via an OAuth provider, such as Google, which will confirm the account without invalidating the attacker's password. The attacker can then log in using the chosen password and access the victim's data on the Chatwoot dashboard.

Remediation

Users are advised to upgrade to Chatwoot version 4.13.0 or later. If an immediate upgrade is not possible, OAuth sign-in providers can be disabled temporarily, and user accounts should be audited for unconfirmed entries created via email/password sign-up before the first OAuth login.