Latest
Kayako Fusion parser error Invalid Data ProvidedKayako Fusion Exploit uncovered CRITICALHow to Tweak XP Computer-Part1How to Tweak XP Computer-Part2Rsync Transferring Files between ServersGoogle and PPC Search PredictionRemoving DS_Store files on Linux ServerPolice Video-Taping upheld by First Circuit Court of AppealsNetflix stumbles but will it work?Apple Iphone 4S Sells out preorders at all carriers!Is Traditional Retail dead and a rotting dinosaur?Fear of Failure, the great oppressorIs Drop-ship a Recipe for Failure?Is a Franchise a good investment?How to Pick and KEEP a GREAT Domain NameShould my website have the best prices?One single supplier is best!Competition: Good or Bad for a Small Business?eBay will fail long term.How big is Ecommerce? Can I make money online?So what makes a GREAT web host?Square payments is not so square after all!ChatGPT: A national debt inquiry.Kayako Fusion parser error Invalid Data ProvidedKayako Fusion Exploit uncovered CRITICALHow to Tweak XP Computer-Part1How to Tweak XP Computer-Part2Rsync Transferring Files between ServersGoogle and PPC Search PredictionRemoving DS_Store files on Linux ServerPolice Video-Taping upheld by First Circuit Court of AppealsNetflix stumbles but will it work?Apple Iphone 4S Sells out preorders at all carriers!Is Traditional Retail dead and a rotting dinosaur?Fear of Failure, the great oppressorIs Drop-ship a Recipe for Failure?Is a Franchise a good investment?How to Pick and KEEP a GREAT Domain NameShould my website have the best prices?One single supplier is best!Competition: Good or Bad for a Small Business?eBay will fail long term.How big is Ecommerce? Can I make money online?So what makes a GREAT web host?Square payments is not so square after all!ChatGPT: A national debt inquiry.
Logic, Intelligence & Communications
Saturday, April 11, 2026
HomeAboutContact
← LogicIntel Home
Exploit

Kayako Fusion Exploit uncovered CRITICAL

Oct 02, 2011
Kayako Fusion exploit found by LogicintelRecently I noticed in testing the Kayako Live chat and support software labeled as Fusion (most current version) has an exploit. In lengthy chat conversations with their tech teams, they have classified this exploit as a "optional feature" missing from the current version. They sent me to this developer link. Hmm. Here's the scenario. You have a current protected knowledgebase of information, available only to paying customers. Customers that you have to whitelist or allow as registered users. You also use their mail parser mechanism for parsing emails from customers (and all others). To exploit the passworded and [level-premier-free]permissioned knowledgebase, one only needs to send an email to one of any potential parsed domains (parsed via Kayako Fusion) and you are automatically whitelisted as registered as the sytem has excepted an email. Now, from the login/register page, one only needs to request a LOST PASSWORD to reset the password and then easily login to the proprietary information. Kayako promised to get back to me and advise of the conversation with their developers and true to their word, they replied: "I had a discussion with our developers regarding the feature request : http://dev.kayako.com/browse/SWIFT-478. To move ahead, we have prioritized this feature request to be implemented soon and changed the** 'Priority' of this feature request to Critical. Our developers will implement this feature in future releases. Please note that our developers are working around the clock to fix the issues reported by the clients and adding the new features, to bring the best product. I really appreciate your patience and understanding in this regard." Kayako is an INCREDIBLE company with an incredible talented staff and an even more impressive client list. I am not sure if they take this as serious as it is verification issue instead of an exploit. TEMP FIX: Remove all parsers (which makes the software pointless). Or, remove all lost password retrieval abilities (again, crippling the software). Or....wait for Kayako to issue a fix, currently slated as Unresolved and Future Build.  Another solution is to set an .htaccess file restriction, allowing only users with username/passwords access to the domain name. [/level-premier-free]