Hello.
In a fresh Chatwoot install I've added the code below to read messages.
To my surprise, IDs are being exposed.
I think those IDs should not be exposed, or if needed, they should UUID.
Update: sensitive information does also appear when user requests/receives e-mail with chat content. The "ID" at "subject" is sequential, therefore exposing how many interactions happened in that period. This will negatively impact startup companies with low customer numbers, possibly jeopardizing their commercial efforts.
To Reproduce
A self hosted install with Docker
Add the code: window.addEventListener('chatwoot:on-message', function(e) { console.log('chatwoot:on-message', e.detail) })
Check browser console containing sensitive IDs
See image below for reference
Expected behavior
IDs are being exposed.
I think those IDs are sensitive information. For example, they do reflect the current number of active customers.
In my opinion these should not be exposed, or if needed, they should UUID.
Environment
Docker
Cloud Provider
None
Platform
Browser
Operating system
Windows
Browser and version
Opera 109.0.5097.80 (Chromium 123.0.6312.124)
Docker (if applicable)
root@chatwoot:~# docker version
Client: Docker Engine - Community
Version: 26.1.3
API version: 1.45
Go version: go1.21.10
Git commit: b72abbb
Built: Thu May 16 08:33:35 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 26.1.3
API version: 1.45 (minimum version 1.24)
Go version: go1.21.10
Git commit: 8e96db1
Built: Thu May 16 08:33:35 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.31
GitCommit: e377cd56a71523140ca6ae87e30244719194a521
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Describe the bug
Hello. In a fresh Chatwoot install I've added the code below to read messages. To my surprise, IDs are being exposed. I think those IDs should not be exposed, or if needed, they should UUID.
Update: sensitive information does also appear when user requests/receives e-mail with chat content. The "ID" at "subject" is sequential, therefore exposing how many interactions happened in that period. This will negatively impact startup companies with low customer numbers, possibly jeopardizing their commercial efforts.
To Reproduce
window.addEventListener('chatwoot:on-message', function(e) { console.log('chatwoot:on-message', e.detail) })
Expected behavior
IDs are being exposed. I think those IDs are sensitive information. For example, they do reflect the current number of active customers. In my opinion these should not be exposed, or if needed, they should UUID.
Environment
Docker
Cloud Provider
None
Platform
Browser
Operating system
Windows
Browser and version
Opera 109.0.5097.80 (Chromium 123.0.6312.124)
Docker (if applicable)
root@chatwoot:~# docker version Client: Docker Engine - Community Version: 26.1.3 API version: 1.45 Go version: go1.21.10 Git commit: b72abbb Built: Thu May 16 08:33:35 2024 OS/Arch: linux/amd64 Context: default
Server: Docker Engine - Community Engine: Version: 26.1.3 API version: 1.45 (minimum version 1.24) Go version: go1.21.10 Git commit: 8e96db1 Built: Thu May 16 08:33:35 2024 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.31 GitCommit: e377cd56a71523140ca6ae87e30244719194a521 runc: Version: 1.1.12 GitCommit: v1.1.12-0-g51d5e94 docker-init: Version: 0.19.0 GitCommit: de40ad0
root@chatwoot:~# docker info Client: Docker Engine - Community Version: 26.1.3 Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.14.0 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.27.0 Path: /usr/libexec/docker/cli-plugins/docker-compose
Server: Containers: 5 Running: 4 Paused: 0 Stopped: 1 Images: 3 Server Version: 26.1.3 Storage Driver: overlay2 Backing Filesystem: zfs Supports d_type: true Using metacopy: false Native Overlay Diff: false userxattr: true Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: e377cd56a71523140ca6ae87e30244719194a521 runc version: v1.1.12-0-g51d5e94 init version: de40ad0 Security Options: apparmor seccomp Profile: builtin cgroupns Kernel Version: 6.8.4-3-pve Operating System: Ubuntu 24.04 LTS OSType: linux Architecture: x86_64 CPUs: 6 Total Memory: 6GiB Name: chatwoot ID: f371b79e-f782-44e7-a3ce-6797301fed07 Docker Root Dir: /var/lib/docker Debug Mode: false Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false
root@chatwoot:~# docker compose version Docker Compose version v2.27.0
Additional context
No response