Description:

Customers who like to use the livechat widget have to insert an username and email address. Afterwards, they are able to chat with an agent.

Actual behavior:

If the customer knows the URL of the Rocket.Chat application, the customer is able to join the application. There, the customer is able to edit its profile, set its status and input search terms.

The Rocket.Chat application does not verify the user. The user is able to join without setting a password. This is a potential security threat.

Expected behavior:

A livechat customer should not be able to join the backend.

Server Setup Information:

• Version of Rocket.Chat Server: 0.56.0
• Operating System: Linux
• Deployment Method(snap/docker/tar/etc): AWS
• Number of Running Instances: 2
• Node Version: v4.8.2

Steps to Reproduce:

1. Start new livechat session (insert user name and email address)
2. In the same browser, open the backend
3. Now you are logged in.