Security Vulnerability: Old Chat Sessions Remain Accessible After Persona Set to Private

[skywinder]

Issue Description

There is a security issue where, after a persona is toggled to private in the app, the previously active chat link remains accessible. This exposes all past conversation data, potentially allowing unauthorized users to access sensitive information.

Steps to Reproduce

1. Go to profile and make a persona public (using the toggle)
2. Access the persona via the link: https://personas.omi.me/chat?id=XXX
3. Make the persona private again using the toggle in the app
4. Observe that the previous link still works and the chat continues to respond with all user data
5. The link remains accessible to anyone who has it

Expected Behavior

When a persona is set to private, all existing links should be immediately invalidated and access should be revoked.

Current Behavior

• The previous chat remains accessible via the original link
• New conversations can still be initiated through the same link in different sessions
• User data remains exposed despite the privacy setting change

Security Implications

This vulnerability exposes user data and conversations that users believe to be private, creating a significant privacy breach.

Suggested Fix

• Implement session-based protection with unique IDs
• Automatically revoke all active sessions when privacy status changes to private
• Implement proper access control checks before serving any persona data

Additional Information

This issue affects the personas.omi.me service and the privacy controls in the mobile app.