Hooper Labs

DOM XSS in Chatbot with IBM Watson WordPress Plugin (<= v.0.8.20)

Hack the Planet

2020-01-20

Background

Chatbot with IBM Watson is a plugin for WordPress allowing administrators to include a "chatbot" functionality to interface with the Watson service in the IBM Cloud. It was developed by IBM Cognitive Class and has at least 2,000 active installations.

Download Link: Chatbot with IBM Watson

Vulnerability - CVE-2020-7239

A DOM based XSS vulnerability has been identified in the chat functionality of the Watson Assistant plugin for WordPress, allowing a remote attacker to execute JavaScript in the victims browser by tricking the victim into pasting HTML inside the chat box.

Steps:

  1. Locate a fresh WordPress installation.
  2. Download the IBM Watson Assistant WordPress Plugin.
  3. Install the plugin and follow the steps to set up, including but not limited to: a) create an IBM account, b) launch Watson assistant, c) view the API details, and d) integrate the API key and URL within the plugin.
  4. Within Firefox, ensure the ChatBot is enabled and observe that the ChatBot appears on the home page.
  5. Type the following into the chat interface:<svg//onload=alert(“XSS”)>
  6. Observe that a pop-up appears, indicating that JavaScript executed within the browser.
  7. Alternatively, open the browser’s developer tools’ network viewer while invoking XSS and observe that the XSS does not result from network traffic.

Browsers Verified In:

Vulnerability Disclosure Policy

Hooper Labs takes security issues seriously. We believe in working with relevant stakeholders to achieve coordinated disclosure within a reasonable period of time. We also adhere to the industry-standard 90-day disclosure deadline, where vendors are notified of vulnerabilities immediately, with details shared to the public after 90 days (or sooner if the issues are resolved earlier).

Common Vulnerabilities and Exposures (CVEs) are an industry standard for identifying vulnerabilities (link). This system is a method for reference and tracking of publicly-known exposures. A CVE is a way to uniquely reference vulnerabilities across systems and Mitre Corporation is the primary CVE Numbering Authority (CNA) for the program. We believe that users have a right to know their exposures in order to make informed risk decisions.

Hooper Labs does not participate in bug bounty programs, but instead relies on responsible disclosure (link). Effectively communicating vulnerabilities and risks to the vendor, users, and public ensure that risk can be documented, calculated, and mitigated. We hope that through this process that the Information Domain may be marginally safer.