IDs exposed - sensitive information

[fabr2004]

Describe the bug

Hello.
In a fresh Chatwoot install I've added the code below to read messages.
To my surprise, IDs are being exposed.
I think those IDs should not be exposed, or if needed, they should UUID.

window.addEventListener('chatwoot:on-message', function(e) {
  console.log('chatwoot:on-message', e.detail)
})

Update: sensitive information does also appear when user requests/receives e-mail with chat content. The "ID" at "subject" is sequential, therefore exposing how many interactions happened in that period. This will negatively impact startup companies with low customer numbers, possibly jeopardizing their commercial efforts.

To Reproduce

1. A self hosted install with Docker
2. Add the code: window.addEventListener('chatwoot:on-message', function(e) { console.log('chatwoot:on-message', e.detail) })
3. Check browser console containing sensitive IDs
4. See image below for reference

Expected behavior

IDs are being exposed.
I think those IDs are sensitive information. For example, they do reflect the current number of active customers.
In my opinion these should not be exposed, or if needed, they should UUID.

Environment

Docker

Cloud Provider

None

Platform

Browser

Operating system

Windows

Browser and version

Opera 109.0.5097.80 (Chromium 123.0.6312.124)

Docker (if applicable)

root@chatwoot:~# docker version
Client: Docker Engine - Community
Version: 26.1.3
API version: 1.45
Go version: go1.21.10
Git commit: b72abbb
Built: Thu May 16 08:33:35 2024
OS/Arch: linux/amd64
Context: default

Server: Docker Engine - Community
Engine:
Version: 26.1.3
API version: 1.45 (minimum version 1.24)
Go version: go1.21.10
Git commit: 8e96db1
Built: Thu May 16 08:33:35 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.31
GitCommit: e377cd56a71523140ca6ae87e30244719194a521
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0

root@chatwoot:~# docker info
Client: Docker Engine - Community
Version: 26.1.3
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.14.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.27.0
Path: /usr/libexec/docker/cli-plugins/docker-compose

Server:
Containers: 5
Running: 4
Paused: 0
Stopped: 1
Images: 3
Server Version: 26.1.3
Storage Driver: overlay2
Backing Filesystem: zfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: false
userxattr: true
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: e377cd56a71523140ca6ae87e30244719194a521
runc version: v1.1.12-0-g51d5e94
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.8.4-3-pve
Operating System: Ubuntu 24.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 6GiB
Name: chatwoot
ID: f371b79e-f782-44e7-a3ce-6797301fed07
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

root@chatwoot:~# docker compose version
Docker Compose version v2.27.0

Additional context

No response

[linear]

PR-1097 IDs exposed - sensitive information

[vishnu-narayanan]

@fabr2004 Currently, we are not treating any of these as sensitive information.