Kayako Fusion exploit found by LogicintelRecently I noticed in testing the Kayako Live chat and support software labeled as Fusion (most current version) has an exploit. In lengthy chat conversations with their tech teams, they have classified this exploit as a “optional feature” missing from the current version. They sent me to this developer link. Hmm. Here’s the scenario.

You have a current protected knowledgebase of information, available only to paying customers. Customers that you have to whitelist or allow as registered users. You also use their mail parser mechanism for parsing emails from customers (and all others). To exploit the passworded and [level-premier-free]permissioned knowledgebase, one only needs to send an email to one of any potential parsed domains (parsed via Kayako Fusion) and you are automatically whitelisted as registered as the sytem has excepted an email. Now, from the login/register page, one only needs to request a LOST PASSWORD to reset the password and then easily login to the proprietary information.

Kayako promised to get back to me and advise of the conversation with their developers and true to their word, they replied:

“I had a discussion with our developers regarding the feature request : http://dev.kayako.com/browse/SWIFT-478. To move ahead, we have prioritized this feature request to be implemented soon and changed the** ‘Priority’ of this feature request to Critical. Our developers will implement this feature in future releases. Please note that our developers are working around the clock to fix the issues reported by the clients and adding the new features, to bring the best product. I really appreciate your patience and
understanding in this regard.”

Kayako is an INCREDIBLE company with an incredible talented staff and an even more impressive client list. I am not sure if they take this as serious as it is verification issue instead of an exploit.

TEMP FIX: Remove all parsers (which makes the software pointless). Or, remove all lost password retrieval abilities (again, crippling the software). Or….wait for Kayako to issue a fix, currently slated as Unresolved and Future Build.  Another solution is to set an .htaccess file restriction, allowing only users with username/passwords access to the domain name.


4 thoughts on “Kayako Fusion Exploit uncovered CRITICAL”

  1. Hello! I just would like to give a huge thumbs up for the great info you have here on this post. I will be coming back to your blog for more soon.

  2. User groups and permissions were the first items we tested in the fix, the staff at Kayako could not fix the issue and have acknowledged the flaw. Hopefully a fix will be released soon.

  3. Getting examine this I believed it absolutely was quite educational. I enjoy you taking enough time and hard work to place this informative article jointly. I as soon as once again locate myself investing method to significantly time equally reading through and commenting. But so what, it absolutely was nevertheless worthwhile!

  4. It is really a pleasant and useful piece of info. I am happy that you shared this helpful info with us. You should keep us up to date such as this. Thanks a lot for sharing.

Leave a Reply

Your email address will not be published.