Time: From 28 July 2020
Affected: Users of Rocket.Chat
Impact: Push notifications for mobile clients do not contain any content information
A very recent configuration change to push notifications for mobile clients for Rocket.Chat removed the content of author/channel and a snippet of the text from these notifications. Clients still receive a notification about new messages but without content information.
During an unrelated occasion it was discovered that Rocket.Chat sends push notifications to mobile clients through a gateway of the company Rocket.Chat and through Google’s Firebase Cloud Messaging service. The Firebase service is a common tool for this kind of purpose and utilized by other messaging service in a similar manner. Until the privacy aspect of relaying through a gateway of Rocket.Chat has been explored we decided to turn of sending content information for push notifications. A key aspect of operating our own chat service is the sovereignty of our users data and privacy, which led to this decision.