Omission of Security-relevant Information in chatwoot/chatwoot
Nov 19th 2021
I'll explain it briefly: A contact is created with the email address "firstname.lastname@example.org" and we are writing about sensitive information. userIdentifer is required to be validated with hmac.
Now a human, on the other side of the world, comes into the chat and is asked by the bot for his email address during the chat. Without any legitimation, he simply enters "email@example.com" as his email and chats with our employee. For our employee it seems as if he is writing with the real "customer1".
If the real "customer1" now writes with our agent, the fake "customer1" can read all entries just because he entered the e-mail address. Maybe I have a thinking error? But I have just been able to test it that way in various scenarios in sandbox environments. I use an account in the Chatwoot hosted environment for testing.