EmbeddedChatApi.getRoomInfo exposes all user rooms #1127
Description
The public method EmbeddedChatApi.getRoomInfo() exposes all rooms (public channels, private groups, and direct messages) that the authenticated user has joined, instead of restricting access to the single embedded room context (this.rid).
Internally, getRoomInfo() calls the Meteor method rooms/get using method.call with empty parameters (params: []). By default, rooms/get returns all subscriptions for the calling user.
As a result, any page embedding Rocket.Chat — or any malicious script with access to the globally exposed RCInstance object — can enumerate a user’s private conversations outside the scope of the embedded widget.
This breaks the isolation guarantees of Embedded Chat and results in a severe privacy leak.
Embedded Chat is expected to operate in a sandboxed, single-room context. Exposing all user rooms:
- Leaks private channels and direct messages
- Reveals sensitive room metadata (names, IDs, types)
- Allows host pages or injected scripts to access data beyond the intended embedded scope
This violates user privacy expectations and weakens security boundaries between the host page and Rocket.Chat.
Steps to Reproduce
- Authenticate in Embedded Chat using a user account that belongs to multiple rooms (for example:
#general, a private group, and one or more DMs). - Open the browser developer console.
- Access the embedded API instance and run:
await RCInstance.getRoomInfo();- Inspect the returned value.
Expected Behavior
getRoomInfo() should return information only for the embedded room identified by this.rid.
No metadata for other channels, private groups, or DMs should be exposed.
