Knowledge Base Assistant Permission Issues
complete
Tobias Moser
For the knowlege base assistant, you need to expose the api_key to end users (see your javascript embedd code). With this key, the users or attackers can download all user information.
Using this curl command…
curl --request GET "https://apihub.document360.io/v2/teams" --header "api_token: <your token>"
…the attacker got the following response of all document360 users:
{
"result": [
{
"user_id": "<your id>",
"first_name": "<first_name>",
"last_name": "<last_name>",
"email_id": "<email>",
"profile_logo_url": "<profile_logo>",
"portal_role": "<role>",
"last_login_at": "<last_login>"
},
],
"extension_data": null,
"context": null,
"success": true,
"errors": [],
"warnings": [],
"information": []
}
Log In
Thiru
The issue has been resolved. Kindly validate from your end as well.
Thiru
complete
Tobias Moser
What is the status off this? In my opinion this is a severe issue, which should raise your attention!
Mike Freeman
I had assumed that usage of the API key would be protected by setting up trusted domains in the 'Keep your assistant secure' section but maybe I am wrong or maybe it doesn't work.