Server: Huge security issue when sharing folder

Created on 18 May 2018  路  6Comments  路  Source: nextcloud/server

The steps to share a folder and and a password are automatic and this could lead to big security issue if associated to browser's autofill feature.

Steps to reproduce

  1. Save your login credentials in your browser
  2. Login
  3. Create a folder
  4. Share it and enter an email (put you email as a test)
  5. You should receive an email saying that your cloud shared a folder with you
  6. On yout cloud page, In the email field, the email has been replaced by your login
  7. Click the 3 dots to "protect with a password"
  8. You receive an email with you login password

Expected behaviour

Shouldn't send password without confirmation, button or else

Actual behaviour

Sends the login password because of the autofill feature of the browser

Server configuration

Operating system:
Linux debian

Web server:
Apache 2

Database:
Mysql

PHP version:
7.2

Nextcloud version: (see Nextcloud admin page)
13.0.2

0. Needs triage bug security
Source
picture SamuelBenard

Most helpful comment

Firefox 60 will ignore the 'new-password' property of the password field and still auto-fill it.
As a workaround its possible to duplicate the password fields and set the second one as not visible - with two fields present, Firefox is unable to decide which to auto-fill and will not fill either.

picture illukas on 20 May 2018
👍2

All 6 comments

Hey :)
It is supposed to be fixed, see https://github.com/nextcloud/server/pull/7461

skjnldsv picture skjnldsv on 19 May 2018

Firefox 60 will ignore the 'new-password' property of the password field and still auto-fill it.
As a workaround its possible to duplicate the password fields and set the second one as not visible - with two fields present, Firefox is unable to decide which to auto-fill and will not fill either.

illukas picture illukas on 20 May 2018
👍2

Firefox 60 will ignore the 'new-password' property of the password field and still auto-fill it.
As a workaround its possible to duplicate the password fields and set the second one as not visible - with two fields present, Firefox is unable to decide which to auto-fill and will not fill either.

This sounds like a bug in Firefox. Could you report it there as well and check if this is the wanted behavior?

See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input#attr-autocomplete

MorrisJobke picture MorrisJobke on 20 Jun 2018

This sounds like a bug in Firefox.

According to this, it is intended behaviour: https://bugzilla.mozilla.org/show_bug.cgi?id=1353035

I don't agree with Mozilla. Its a huge security issue in Nextcloud's case, when LDAP auth is enabled and users have their AD domain passwords saved in FF's password manager.

Until Mozilla introduces a change in their browser, would it possible for the Nextcloud team to engineer a workaround for this? Considering that even if Firefox starts honoring the 'autocomplete=off/new-password' in the future; it would still be an issue on older versions of the browser.

10647 Could be a viable workaround if implemented.

illukas picture illukas on 26 Aug 2018

Can confirm this issue still persists in Nextcloud 13.0.6 and Firefox 61.0.1.

The problem is that you can easily send out your password by accident, because of the dangerous combination of autofill + Nextcloud sending the share email out without a confirm button.

"Workarounds" for the moment: don't save your NC login in Firefox or save more than one NC account credentials in Firefox, because then autofill won't happen.

DBJRdev picture DBJRdev on 3 Sep 2018
👍1

Fixed with #15719

skjnldsv picture skjnldsv on 30 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MariusBluem picture MariusBluem  路  3Comments
dl5rcw picture dl5rcw  路  3Comments
juliushaertl picture juliushaertl  路  3Comments
Django-BOfH picture Django-BOfH  路  3Comments
blackcrack picture blackcrack  路  3Comments