Your Rocket.Chat version: 0.33.0

The /avatar endpoint is accessible without being authentication.

This creates two security related issues:

1. As user avatars are stored by using the username as the file name, this provides an attacker with an easily exploitable method of getting valid user names.
2. Private information (the avatar photos) is accessible to unauthenticated parties.

Two proposed mitigations:

1. Store user avatars using a hash of the username as the filename.
2. Require an authenticated user before allowing access to the /avatars endpoint or return an HTTP 401