Decouple livechat visitors from regular users

[janrudolph]

Description:

Customers who like to use the livechat widget have to insert an username and email address. Afterwards, they are able to chat with an agent.

Actual behavior:

If the customer knows the URL of the Rocket.Chat application, the customer is able to join the application. There, the customer is able to edit its profile, set its status and input search terms.

The Rocket.Chat application does not verify the user. The user is able to join without setting a password. This is a potential security threat.

Expected behavior:

A livechat customer should not be able to join the backend.

Server Setup Information:

• Version of Rocket.Chat Server: 0.56.0
• Operating System: Linux
• Deployment Method(snap/docker/tar/etc): AWS
• Number of Running Instances: 2
• Node Version: v4.8.2

Steps to Reproduce:

1. Start new livechat session (insert user name and email address)
2. In the same browser, open the backend
3. Now you are logged in.

[mrsimpson]

would it not be an easy fix to prevent user who have got only the livechat-guest-role from logging in to the backend?

[gdelavald]

@mrsimpson @janrudolph
The question here is weather the problem is simply the user being able to see the chat interface (like a normal user) which is expected since the LiveChat Guest is a user in the server OR if this is the user actually having access to things that he should not be able to which is not expected and should be a vulnerability as reported.
From our tests, the first case is what prevails, with the user being able to see the chat UI but not being able to see/open rooms or direct messages.

[janrudolph]

@gdelavald You are right - the user is not able to see any rooms. However, he is able to enter a search query or any string in the search. The string could be an executable command. If the search is not bullet-proof, any command will be executable. Another example is the profile picture upload.
These indeed are potential vulnerabilities.

[gdelavald]

@janrudolph So, in this case the problem is not the LiveChat User accessing the interface, but possible vulnerabilities he might find, which is not related to him being able to access the interface per se, but the vulnerabilities he might abuse in the system.
I hope you see where I'm going with this, the problem is not the access, because if any of those points of access (search query, picture upload, ...) have a vulnerability it will not be only for LiveChat users, but for all users.
I would like to close this issue since we've cleared that the LiveChat accessing the interface is not the source of any vulnerability, if we do find any reproducible exploit we can open a new issue to fix it.

[janrudolph]

@gdelavald Okay, we will walk that away. However I think the access for non-real-users confuses customers who use the livechat plugin. Maybe this issue is more about "feelings". What do you think?

[gdelavald]

Yeah, I understand that could be confusing, I'll check the cases where this could happen and research a way we could improve the experience.
I'll close this issue as this is no longer a vulnerability but an improvement to the usability.
Thanks for the feedback.

[sampaiodiego]

I'm currently working on "fixing" this. I'm separating livechat users from regular users, so this will not happen anymore.

[sampaiodiego]

Since I'm going to work hard on this, I renamed the issue title to better fit what I'm doing, so reopening ...

[mrsimpson]

@diegosampaio title sounds great!

[mrsimpson]

(And like quite a bit of work)