Hello team, I have recently discovered a security issue (XSS vulnerability) in your website. I’ve documented it and would like to report it responsibly so it can be fixed. .
Hi,
Thank you for reaching out to us. Could you please provide more details about the issue you’re experiencing? This will help our team investigate and assist you more effectively.
We look forward to your response.
Best regards,
A reflected XSS vulnerability exists in the Tawk.to live chat widget. Malicious input is not properly
sanitized and is directly reflected into the DOM, allowing JavaScript execution in the context of the
embedded site.
Websites integrating this chatbot are vulnerable to reflected XSS attacks. Malicious scripts can be injected through user input and reflected back in responses, posing a serious risk to user data and site integrity. All platforms using this chatbot should implement input sanitization and output encoding to mitigate the threat.
Hi,
Thank you for reaching out and for sharing your security concern regarding the Tawk.to live chat widget.
We take such reports seriously and would like to investigate this further with you. To better understand the issue and troubleshoot it in detail, we kindly invite you to schedule a call with our technical team using the link below:
Please note that:
- Meeting times are shown in 24-hour format
- All calls will be conducted via Zoom
We appreciate your cooperation and look forward to resolving this together.
Best regards,
do you have a bug bounty program ?
Hi levyhabi,
We appreciate your interest in contributing to our security efforts. Currently, we do not offer a formal bug bounty program. However, we do take all security reports seriously and welcome responsible disclosures through our designated reporting channels.
Regards,
I have also found a vulnerability which I have mailed you on support@tawk.to pelase check it as it is Critical Vulnerability leading to Stealing user Cookies and more.
I have also found a vulnerability which I have mailed you on support@tawk.to pelase check it as it is Critical Vulnerability leading to Stealing user Cookies and more.
I think it is the bug ,that I have reported.
Hi,
Just checking in—have you had a chance to book a call with one of our technical team members to review this? Let us know if you need help scheduling or if there’s anything we can assist with.
Sure, I’d be happy to assist or help with scheduling the call or anything else you need. Just let me know!