You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello.
In a fresh Chatwoot install I've added the code below to read messages.
To my surprise, IDs are being exposed.
I think those IDs should not be exposed, or if needed, they should UUID.
Update: sensitive information does also appear when user requests/receives e-mail with chat content. The "ID" at "subject" is sequential, therefore exposing how many interactions happened in that period. This will negatively impact startup companies with low customer numbers, possibly jeopardizing their commercial efforts.
To Reproduce
A self hosted install with Docker
Add the code: window.addEventListener('chatwoot:on-message', function(e) { console.log('chatwoot:on-message', e.detail) })
Check browser console containing sensitive IDs
See image below for reference
Expected behavior
IDs are being exposed.
I think those IDs are sensitive information. For example, they do reflect the current number of active customers.
In my opinion these should not be exposed, or if needed, they should UUID.
Environment
Docker
Cloud Provider
None
Platform
Browser
Operating system
Windows
Browser and version
Opera 109.0.5097.80 (Chromium 123.0.6312.124)
Docker (if applicable)
root@chatwoot:~# docker version
Client: Docker Engine - Community
Version: 26.1.3
API version: 1.45
Go version: go1.21.10
Git commit: b72abbb
Built: Thu May 16 08:33:35 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 26.1.3
API version: 1.45 (minimum version 1.24)
Go version: go1.21.10
Git commit: 8e96db1
Built: Thu May 16 08:33:35 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.31
GitCommit: e377cd56a71523140ca6ae87e30244719194a521
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Describe the bug
Hello.
In a fresh Chatwoot install I've added the code below to read messages.
To my surprise, IDs are being exposed.
I think those IDs should not be exposed, or if needed, they should UUID.
Update: sensitive information does also appear when user requests/receives e-mail with chat content. The "ID" at "subject" is sequential, therefore exposing how many interactions happened in that period. This will negatively impact startup companies with low customer numbers, possibly jeopardizing their commercial efforts.
To Reproduce
window.addEventListener('chatwoot:on-message', function(e) { console.log('chatwoot:on-message', e.detail) })
Expected behavior
IDs are being exposed.
I think those IDs are sensitive information. For example, they do reflect the current number of active customers.
In my opinion these should not be exposed, or if needed, they should UUID.
Environment
Docker
Cloud Provider
None
Platform
Browser
Operating system
Windows
Browser and version
Opera 109.0.5097.80 (Chromium 123.0.6312.124)
Docker (if applicable)
root@chatwoot:~# docker version
Client: Docker Engine - Community
Version: 26.1.3
API version: 1.45
Go version: go1.21.10
Git commit: b72abbb
Built: Thu May 16 08:33:35 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 26.1.3
API version: 1.45 (minimum version 1.24)
Go version: go1.21.10
Git commit: 8e96db1
Built: Thu May 16 08:33:35 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.31
GitCommit: e377cd56a71523140ca6ae87e30244719194a521
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
root@chatwoot:~# docker info
Client: Docker Engine - Community
Version: 26.1.3
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.14.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.27.0
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 5
Running: 4
Paused: 0
Stopped: 1
Images: 3
Server Version: 26.1.3
Storage Driver: overlay2
Backing Filesystem: zfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: false
userxattr: true
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: e377cd56a71523140ca6ae87e30244719194a521
runc version: v1.1.12-0-g51d5e94
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.8.4-3-pve
Operating System: Ubuntu 24.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 6GiB
Name: chatwoot
ID: f371b79e-f782-44e7-a3ce-6797301fed07
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
root@chatwoot:~# docker compose version
Docker Compose version v2.27.0
Additional context
No response
The text was updated successfully, but these errors were encountered: