Make sure the booking cancellation is a post request and has a reason value provided.

[schlickspringer]

Hello,

we discovered an issue where an appointment is sent via email to the customer and some kind of bot crawled the appointment details page afterwards (pishing scan or whatever). It looks like the crawler then fetched /appointment/cancel/ID and the appointment got cancelled without even an email to the customer or provider.

This is reproducible by just visiting the form action in the appointment details page.

[alextselegidis]

Hello!

Thanks for reaching out for such an important issue.

we discovered an issue where an appointment is sent via email to the customer and some kind of bot crawled the appointment

How did the bot parse your received email at the first place?

FYI the public booking URLs are using random hash strings that are hard for a bot to guess just by randomly trying.

Alex Tselegidis, Easy!Appointments Creator Need a customization? Get a free quote!

[schlickspringer]

Hello !

The customer who received this email notification is using some kind of virus-scanner or malware scanner that automatically scans included URLs of the email message. Therefore the URL was known to the bot.

I think it should be enough to check for the reason of cancellation and if not present just ignore the GET call.

[alextselegidis]

Hello!

Thanks for writing back on this issue.

Just checking for the reason would not be sufficient as bots may provide dummy reason content as well.

Additionally the cancellation link is not part of the email (only the rescheduling link is) which means that unless there's a malware that can target only such emails, there is no way they figured out the cancellation URL from the email.

Did this issue happen again?

Alex Tselegidis, Easy!Appointments Creator Need a customization? Get a free quote!

[schlickspringer]

Hello,

the issue is the following:
(Any) Bot can crawl an email message and finds links in it (here: the appointment link). To check for malware/viruses the URL is visited. When visiting this URL the bot will find other links on the same page as well to check for (here: the cancellation link). If the cancellation URL is visited even without any parameter the appointment then is cancelled. I don't think this should be possible? The cancel-appointment-form is a POST form and the GET call of /appointments/cancel/... (which bots will visit to check for malware) cancels the appointment without any notification to customer or admin.

I don't think virus-scanners will POST forms or even fill out parameters. Therefore I think just making sure that either the METHOD is correct or a reason is given is better than current.

[alextselegidis]

Hello!

You are right, an additional protection step is required as cancellations may also happen accidentally as well.

Let me mark this for 1.5 🚀

Star and follow the projects to receive regular development updates.

Alex Tselegidis, Easy!Appointments Creator Need a customization? Get a free quote!