Writeups

Contact Center AI (CCAI) is a Contact Center as a Service platform from Google Cloud based of UJET
The following was done as part of a VRP grant of $500, later increased by $1337

Agent XSS

On the agents control panel there was an iframe with the location controlled by the URL parameter cobrowseDomain, So you could get an XSS by navigating it to a javascript: URL… also no embedding protection.

let f = document.createElement('iframe');
f.hidden = true;
f.src = 'https://something.uc1.ccaiplatform.com/agent/?type=popup&popup=cobrowse&cobrowseDomain=javascript:alert(window.origin);%2F%2F';
document.body.appendChild(f);

Client XSS

Using the chat message feature of Cloud Contact Center an agent could XSS the user on https://websdk.ujet.co by messaging https://"onmousemove="alert(window.origin)"
This could also be done by setting a custom “Waiting for Agent Assignment Message” like <img src=x onerror=alert(window.origin)>
Because the SDK used a shared origin of https://websdk.ujet.co to render all chat sessions from Cloud Contact Center,
Any website with there own chat could hijack a different websites chat session via the window opener.
The origin was also trusted by Cobrowse which is a feature of the SDK.

Timeline

Reported agent xss on Nov 10, 2022 02:13AM (P2/S2)
Marked as fixed on Jan 19, 2023 02:00AM
Reported client xss on Nov 14, 2022 12:25PM (P2/S2)
Blamed UJET on Nov 14, 2022 03:30PM
Marked as fixed on Mar 10, 2023 07:10AM
“cannot provide monetary compensation for CCAI errors reported under the grant” on Apr 18, 2023 10:55AM
Swag rewarded on Apr 19, 2023 01:55PM