Recently I noticed in testing the Kayako Live chat and support software labeled as Fusion (most current version) has an exploit. In lengthy chat conversations with their tech teams, they have classified this exploit as a “optional feature” missing from the current version. They sent me to this developer link. Hmm. Here’s the scenario.
You have a current protected knowledgebase of information, available only to paying customers. Customers that you have to whitelist or allow as registered users. You also use their mail parser mechanism for parsing emails from customers (and all others). To exploit the passworded and [level-premier-free]permissioned knowledgebase, one only needs to send an email to one of any potential parsed domains (parsed via Kayako Fusion) and you are automatically whitelisted as registered as the sytem has excepted an email. Now, from the login/register page, one only needs to request a LOST PASSWORD to reset the password and then easily login to the proprietary information.
Kayako promised to get back to me and advise of the conversation with their developers and true to their word, they replied:
“I had a discussion with our developers regarding the feature request : http://dev.kayako.com/browse/SWIFT-478. To move ahead, we have prioritized this feature request to be implemented soon and changed the** ‘Priority’ of this feature request to Critical. Our developers will implement this feature in future releases. Please note that our developers are working around the clock to fix the issues reported by the clients and adding the new features, to bring the best product. I really appreciate your patience and
understanding in this regard.”
Kayako is an INCREDIBLE company with an incredible talented staff and an even more impressive client list. I am not sure if they take this as serious as it is verification issue instead of an exploit.
TEMP FIX: Remove all parsers (which makes the software pointless). Or, remove all lost password retrieval abilities (again, crippling the software). Or….wait for Kayako to issue a fix, currently slated as Unresolved and Future Build. Another solution is to set an .htaccess file restriction, allowing only users with username/passwords access to the domain name.