Nextcloud version : 20.0.8.1
Operating system and version: unknown
Apache or nginx version: unknown
PHP version (eg, 7.4): unknown
Provider: https://mark.nl.tab.digital
The issue you are facing:
Today it happened that suddenly my Nextcloud desktop sync client (v2.6.5 on Ubuntu) switched over to a different user and began synching files from the other account. I immediately stopped, went to web interface and
Is this the first time you’ve seen this error? (Y/N): Y
Steps to replicate it (most probably not reproducable for any provider and any account):
Go to web interface
login
Go to settings and back to files
Content of different user shown
Changing password did not help. In the followup-attempts I was even seeing the foreigners page even when going to settings. Only after 2 attempts I was fast enough delete my account before it switched over to the other users account.
Between the attempts I got the following message switching to dashboard:
That littlewalter… - is not my user account!
Anybody who has experienced such an issue?
Tried to inform the provider about the incident, but not easy to find a contact there, hope I sent it to the correct recipients…
I’ve contacted the other profile’s owner by mail (i can see his personal informations).
Now i’m waiting response.
If nobody contact me, i will delete the profile.
I’m sorry but i need my files.
I have written to them via their Facebook page and to an email-address I found - but yes, it was not easy to find an email address. I did not contact the other user as I am not sure if it is not one produced by hacker (was uploading shell scripts).
Unfortunately it looks like a security breach. I hope, it is a configuration failure at the provider and not a general security bug in NextCloud.
Hello, I have a critical security issue.
This morning when logging into my mac next cloud desktop client, I noticed I was logged into an account that wasn’t mine. I was able to see another nextcloud users personal data uploaded to their nextcloud. I had access to all contacts, calendars, files, and account activity etc. I do not know how I was logged into this persons account, all I know is that my nextcloud client was synced to their account. I contacted the email of the user I was logged into to notify them but I got no response.
As of now, I have deleted my account. I was using the cloud provider tabdigital and contacted their support as well. I have gotten no response.
I don’t know “tabdigital”. But when you search the forum here you’ll find several threads where similar bad stuff happend. That (tabdigital) doesn’t look trustworthy.
If it is only that provider, ok, yes, then that one not trustworthy.
But: How can it happen? - Potential missconfiguration at that provider?
Is it probably a missconfiguration that may happen also to others?
I was thinking of how it could happen - e.g. hijacking of session ids or something the like. And they did not respond yet to my messages.
If your provider don’t fix this big issue and don’t respond to your messages, maybe you should consider to change to another provider.
Hope for you it will be fixed soon.
Just a shot in the blue… Things like this can happen if you’re using webserver based caching wrong. Or to be more precise in an environment where it doesn’t fit in.
Example: Web servers can cache static requests very efficiently. But if you configure it wrong you can end up with caching dynamic, session based, user content as well. So user A is requesting a URL of your application. The content is now cached. Then, user B is requesting the same URL. With bad configured caching user B gets the same (!) content as user A.
Disclaimer: I don’t know what happened here. But this is something that happened to me when I tried to use caching (Apache mod cache) and a PHP application.
@AlfredSK , that sounds reasonable and maybe happened here, as the same url base name used for different users which in reality are different mandators (same subdomain for everybody - so same application urls). In reality it would be better to have different (sub)domains for different clients.
Hey, but I have noticed, that in your link it is the same e-mail address of the same user that I had access to and in the issue this thread is referenced. I would add that it is obviously not just Android, but also occured purely using the web interface - so independent of client used the issue occured. That makes the caching theory even more probably the reason.
We are aware of this issue and we are working together with tab.digital to fix it. Hopefully it will be resolved in the coming days. We’re very sorry for this, as it is an obvious privacy problem, so it has the highest priority.
I’m also sorry for the late message, we are working on it since some 2 weeks, it’s been slow as it is hard to find the problem, but we should’ve informed here sooner.
