search

chatwoot / chatwoot

Open-source live-chat, email support, omni-channel desk. An alternative to Intercom, Zendesk, Salesforce Service Cloud etc. 🔥💬
https://www.chatwoot.com/help-center
Other
19.46k stars 3.08k forks source link

IDs exposed - sensitive information #9497

Closed fabr2004 closed 3 weeks ago

fabr2004 commented 1 month ago

Describe the bug

Hello. In a fresh Chatwoot install I've added the code below to read messages. To my surprise, IDs are being exposed. I think those IDs should not be exposed, or if needed, they should UUID.

window.addEventListener('chatwoot:on-message', function(e) {
  console.log('chatwoot:on-message', e.detail)
})

Update: sensitive information does also appear when user requests/receives e-mail with chat content. The "ID" at "subject" is sequential, therefore exposing how many interactions happened in that period. This will negatively impact startup companies with low customer numbers, possibly jeopardizing their commercial efforts.

To Reproduce

  1. A self hosted install with Docker
  2. Add the code: window.addEventListener('chatwoot:on-message', function(e) { console.log('chatwoot:on-message', e.detail) })
  3. Check browser console containing sensitive IDs
  4. See image below for reference

Chatwoot-sensitive_IDs

Expected behavior

IDs are being exposed. I think those IDs are sensitive information. For example, they do reflect the current number of active customers. In my opinion these should not be exposed, or if needed, they should UUID.

Environment

Docker

Cloud Provider

None

Platform

Browser

Operating system

Windows

Browser and version

Opera 109.0.5097.80 (Chromium 123.0.6312.124)

Docker (if applicable)

root@chatwoot:~# docker version Client: Docker Engine - Community Version: 26.1.3 API version: 1.45 Go version: go1.21.10 Git commit: b72abbb Built: Thu May 16 08:33:35 2024 OS/Arch: linux/amd64 Context: default

Server: Docker Engine - Community Engine: Version: 26.1.3 API version: 1.45 (minimum version 1.24) Go version: go1.21.10 Git commit: 8e96db1 Built: Thu May 16 08:33:35 2024 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.31 GitCommit: e377cd56a71523140ca6ae87e30244719194a521 runc: Version: 1.1.12 GitCommit: v1.1.12-0-g51d5e94 docker-init: Version: 0.19.0 GitCommit: de40ad0

root@chatwoot:~# docker info Client: Docker Engine - Community Version: 26.1.3 Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.14.0 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.27.0 Path: /usr/libexec/docker/cli-plugins/docker-compose

Server: Containers: 5 Running: 4 Paused: 0 Stopped: 1 Images: 3 Server Version: 26.1.3 Storage Driver: overlay2 Backing Filesystem: zfs Supports d_type: true Using metacopy: false Native Overlay Diff: false userxattr: true Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: e377cd56a71523140ca6ae87e30244719194a521 runc version: v1.1.12-0-g51d5e94 init version: de40ad0 Security Options: apparmor seccomp Profile: builtin cgroupns Kernel Version: 6.8.4-3-pve Operating System: Ubuntu 24.04 LTS OSType: linux Architecture: x86_64 CPUs: 6 Total Memory: 6GiB Name: chatwoot ID: f371b79e-f782-44e7-a3ce-6797301fed07 Docker Root Dir: /var/lib/docker Debug Mode: false Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false

root@chatwoot:~# docker compose version Docker Compose version v2.27.0

Additional context

No response

linear[bot] commented 1 month ago

PR-1097 IDs exposed - sensitive information

vishnu-narayanan commented 3 weeks ago

@fabr2004 Currently, we are not treating any of these as sensitive information.