Dear developers and community members,
I have discovered an extremely concerning and disheartening security flaw in the Nextcloud E2EE system. Please address this issue ASAP.
While testing the E2EE system I have discovered that the files stored in the “encrypted” folder are in fact being stored as plain text on my servers. I followed the standard procedure of creating an empty folder, and right-clicking it in the desktop front-end and clicking on encrypt. The folder is marked with a green lock in the front-end marking it as an encrypted folder. Then I added files in the folder in Windows Explorer to the encrypted folder and waited for the front-end to inidicate that the syncronization process has completed. When trying to access the folder through the web interface, it says that operation is not permitted, as is to be expected.
After this procedure, I looked inside the data folder on my server, and I have found that the flles in the encrypted folder are present in plain text just as any other non-encrypted folder.
Please take the necessary precautions, and investigate how this obvious security flaw was allowed to exist in the code. I believe this issue is easy to reproduce, as I have not done anything unusual to produce this issue.