Security issue user account switching

Nextcloud version :
Operating system and version: unknown
Apache or nginx version: unknown
PHP version (eg, 7.4): unknown

The issue you are facing:
Today it happened that suddenly my Nextcloud desktop sync client (v2.6.5 on Ubuntu) switched over to a different user and began synching files from the other account. I immediately stopped, went to web interface and

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it (most probably not reproducable for any provider and any account):

  1. Go to web interface
  2. login
  3. Go to settings and back to files
  4. Content of different user shown

Changing password did not help. In the followup-attempts I was even seeing the foreigners page even when going to settings. Only after 2 attempts I was fast enough delete my account before it switched over to the other users account.

Between the attempts I got the following message switching to dashboard:

  • That littlewalter… - is not my user account!

Anybody who has experienced such an issue?

Tried to inform the provider about the incident, but not easy to find a contact there, hope I sent it to the correct recipients…

Same problem, please help!


Did you try with server 20.0.9, or ask your provider to use an up to date nextcloud version?

Is not easy contact the provider… (Tabdigital).

OK, so both of you have the same provider? Maybe it’s an issue on his side only.

1 Like

I’ve contacted the other profile’s owner by mail (i can see his personal informations).
Now i’m waiting response.
If nobody contact me, i will delete the profile. :disappointed_relieved:
I’m sorry but i need my files.

I did trigger a security scan for that provider: Nextcloud Security Scan Results
BTW: Thanks for that service!

I have written to them via their Facebook page and to an email-address I found - but yes, it was not easy to find an email address. I did not contact the other user as I am not sure if it is not one produced by hacker (was uploading shell scripts).

Unfortunately it looks like a security breach. I hope, it is a configuration failure at the provider and not a general security bug in NextCloud.

Hello, I have a critical security issue.
This morning when logging into my mac next cloud desktop client, I noticed I was logged into an account that wasn’t mine. I was able to see another nextcloud users personal data uploaded to their nextcloud. I had access to all contacts, calendars, files, and account activity etc. I do not know how I was logged into this persons account, all I know is that my nextcloud client was synced to their account. I contacted the email of the user I was logged into to notify them but I got no response.

As of now, I have deleted my account. I was using the cloud provider tabdigital and contacted their support as well. I have gotten no response.

I don’t know “tabdigital”. But when you search the forum here you’ll find several threads where similar bad stuff happend. That (tabdigital) doesn’t look trustworthy.

If it is only that provider, ok, yes, then that one not trustworthy.
But: How can it happen? - Potential missconfiguration at that provider?
Is it probably a missconfiguration that may happen also to others?
I was thinking of how it could happen - e.g. hijacking of session ids or something the like. And they did not respond yet to my messages.

If your provider don’t fix this big issue and don’t respond to your messages, maybe you should consider to change to another provider.
Hope for you it will be fixed soon.

I already deleted my account there. Was just a test/unimportant account.

Just a shot in the blue… Things like this can happen if you’re using webserver based caching wrong. Or to be more precise in an environment where it doesn’t fit in.

Example: Web servers can cache static requests very efficiently. But if you configure it wrong you can end up with caching dynamic, session based, user content as well. So user A is requesting a URL of your application. The content is now cached. Then, user B is requesting the same URL. With bad configured caching user B gets the same (!) content as user A.

Disclaimer: I don’t know what happened here. But this is something that happened to me when I tried to use caching (Apache mod cache) and a PHP application.

1 Like

@AlfredSK , that sounds reasonable and maybe happened here, as the same url base name used for different users which in reality are different mandators (same subdomain for everybody - so same application urls). In reality it would be better to have different (sub)domains for different clients.

See also Hacked NextCloud Account via Android App [?] · Issue #26988 · nextcloud/server · GitHub

@bloo thanks for mentioning this - in the particular issue here however it can’t be the cause - I didn’t hat that account setup on my phone either.

Hey, but I have noticed, that in your link it is the same e-mail address of the same user that I had access to and in the issue this thread is referenced. I would add that it is obviously not just Android, but also occured purely using the web interface - so independent of client used the issue occured. That makes the caching theory even more probably the reason.

Hi all,

We are aware of this issue and we are working together with to fix it. Hopefully it will be resolved in the coming days. We’re very sorry for this, as it is an obvious privacy problem, so it has the highest priority.

I’m also sorry for the late message, we are working on it since some 2 weeks, it’s been slow as it is hard to find the problem, but we should’ve informed here sooner.

1 Like

Could you find out if it is a proxy/cache problem or a potential problem in the NextCloud?