CVE-2024-57026
📋 TL;DR
TawkTo Widget versions 1.3.7 and earlier contain a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through user input. This affects websites using the vulnerable widget, potentially compromising visitors' browsers. The vulnerability requires user interaction but can lead to session hijacking or credential theft.
💻 Affected Systems
- TawkTo Widget
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or install malware through drive-by downloads.
Likely Case
Attackers inject malicious scripts to steal session tokens or credentials from users interacting with the widget, potentially leading to account compromise.
If Mitigated
With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
XSS vulnerabilities are commonly weaponized. The public PoC demonstrates the vulnerability, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 1.3.7
Vendor Advisory: https://cosmosofcyberspace.github.io/tawk_to_cve.html
Restart Required: No
Instructions:
1. Update TawkTo Widget to version newer than 1.3.7
2. Clear browser caches on affected websites
3. Verify the widget functions correctly after update
🔧 Temporary Workarounds
Disable TawkTo Widget
allTemporarily remove or disable the TawkTo widget from your website until patched
Remove the TawkTo embed code from your website HTML
Implement Content Security Policy
allAdd a strict Content Security Policy header to prevent inline script execution
Add 'Content-Security-Policy: script-src 'self'' to HTTP headers
🧯 If You Can't Patch
- Implement web application firewall rules to block XSS payloads
- Monitor for suspicious activity in website access logs
🔍 How to Verify
Check if Vulnerable:
Check the TawkTo widget version in your website source code or plugin settings. Look for version 1.3.7 or earlier.Check Version:
Inspect webpage source for TawkTo script tag version parameter or check plugin/extension version in admin panelVerify Fix Applied:
After updating, verify the widget version shows >1.3.7 and test that the chat functionality works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to widget endpoints with script tags
- Multiple failed chat submissions with suspicious payloads
Network Indicators:
- HTTP requests containing script tags or JavaScript in URL parameters
- Unexpected outbound connections from user browsers after widget interaction
SIEM Query:
source="web_logs" AND (uri="*tawk*" OR user_agent="*tawk*") AND (message="*<script>*" OR message="*javascript:*")