Server: Security issue: twofactor_totp disabled during upgrade w/o any explicit warning
Steps to reproduce
- Have a running 13.0.5.2 instance w/ twofactor_totp enabled and used by X for security reasons
1.5 Log in as X being prompted for TOTP and entering it - Upgrade to 14.0.0 Beta 2 via web-updater
2.5 See no warnings about 'twofactor_totp' (be lazy enough to wathch through the detailed log) - Log into X account w/ just password and be surprised
- Check if 'twofactor_totp' is enabled and see it disabled
- Check if 'twofactor_totp' is an official app and see it IS but it's incomopatible with current server version running
- Check X's mailbox for any precautions or warnings sent from X's NC instance
- Think about some basic concepts of InfoSec
oddmean
All 11 comments
GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/4200 (E-Mail notification "sharebymail" function), https://github.com/nextcloud/server/issues/1716 (Notification E-Mail all 30 mins), https://github.com/nextcloud/server/issues/6204 (e-mail notifications for activities are not received ), https://github.com/nextcloud/server/issues/8523 (Resharing a password protected folder by e-mail leads to an error and incorrect notifications), and https://github.com/nextcloud/server/issues/3596 (Email notifications for pending upgrades).
nextcloud-bot
on 7 Aug 2018
Should I downgrade to have my security-related inconvenience back?
oddmean
on 7 Aug 2018
@oddmean there is bug that prevents the app from showing. But it actually is available for 14 see: https://apps.nextcloud.com/apps/twofactor_totp
Beta3 on thursday will have this all fixed and sorted out.
rullzer
on 7 Aug 2018
@rullzer thank you! But there maybe should be some flag for security related aps causing them not being disabled automatically and|or causing upgrade procedure to show EVIL WARNINGS everywhere.
oddmean
on 7 Aug 2018
@oddmean we actually improved for 14 the 2FA state. (before they were stateless). This should make sure that after 14 all your states of your providers is stored in the DB as well. Protecting your account even if an app got somehow disabled.
rullzer
on 7 Aug 2018
@rullzer nevertheless isn't it strange when the essential security concept (2FA) is just missed in a security/privacy aimed software's workflow. Maybe some flag (even a binary one) should be added as an app's property (esprcially for official ones) to stop instances' admins just before they do potentially really wrong things w/o any knowledge of what they really do ("It's just a new version of NC! Let me find out all those cool new features myself and then look at changelog" So I am too).
oddmean
on 7 Aug 2018
I've installed twofactor_totp 1.5.0 but nothing still works as expected. I've tried to login via Firefox's "Private window", Firefox started in a new LXC nonprivileged container, Chromium. All the same: it's enough to enter the correct password fnd no prompting for OTP.
oddmean
on 7 Aug 2018
@oddmean yes noticed this as well recently. Fixed with https://github.com/nextcloud/server/pull/10578 and will also land in beta3
rullzer
on 8 Aug 2018
Thank you, @rullzer . Hope #10578 is not just a crutch. Awaiting for thursday's release. BTW is there a way to restrict an account from logging in via NC's website frontend keeping account's applications working (w/ dedicated passwords per each)?
oddmean
on 8 Aug 2018
Beta3 is released.
Please check it out.
rullzer
on 9 Aug 2018
Works like a charm, thank you!
oddmean
on 11 Aug 2018
Related issues
Django-BOfH
路
3Comments
ghost
路
3Comments
brylie
路
3Comments
georgehrke
路
3Comments
dl5rcw
路
3Comments