Zopim API Bug Agents can able to fetch other agents details
Saturday, October 03, 2015
By
Jitendra
Hi ,
So this post is about a Proof of Concept of a report submitted to Zopim via HackerOne.
This bug exists on the API of Zopim according to Zopim documentation mentioned here
Agents details can only be fetched by an Owner or Admin account but I can fetch these details with a simple agent account.
There are more things we can do this with command like there are many restriction for agents an agent can't fetch other Agents id , Department id ,Last Login , How many time users have done login.
These information can't be access from Dashboard.
There are more things I can do by this command.
According to there documentation mentioned here agents can fetch all departments, But if i fetch all agents detail then and if any agents is added to a department the department details come along with agent details.
I reported to Zopim but they said that there is not security risk here.
But according to there documentation i can say that there is a permission check missing on that API endpoints.
Zopim declined my bug.
Thanks for reading
Jitendra Singh
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Written by CK Admins
Computer Korner is an open knowledge sharing site, where the we try to share our experience with IT, Security, Networking, System Administration tasks faced in day to day life. Articles from visitors are highly appreciated. Contact Us at : Click Here
![Admin Login Page Finder [FIND HIM]](http://3.bp.blogspot.com/-GhtWWRl4-xU/UB0hynJzAQI/AAAAAAAAAlA/7awzEtAFL0w/s72-c/mysqladded.PNG){kind=small}
0 comments: