Server: users reveal their mail adress by default

Created on 4 Apr 2019 · 21Comments · Source: nextcloud/server

Steps to reproduce

register as a new user
after some months, explore the menu
discover that your mail adress was public to ALL the other cloud users on the same server

Expected behaviour

Private data should not be revealed by default

Make public data available, protect private data.
Source:

hacker ethics

gdpr

Actual behaviour

Users mail adress is revealed to other users by default

Server configuration

LAMP, Ubuntu 18.04

Nextcloud version: 15.0.5
fresh installl since upgrade from OC failed

Where did you install Nextcloud from: Webclient

List of activated apps:
deactivated ALL Apps - same behavior

Nextcloud configuration:

Config report

```
If you have access to your command line run e.g.:

{ "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "cloud.REMOVED.de" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "15.0.5.3", "overwrite.cli.url": "https:\/\/cloud.REMOVED.de", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "mail_smtpmode": "smtp", "mail_sendmailmode": "pipe", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "updater.secret": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "theme": "", "loglevel": 2, "CUSTOMSETTINGSMATTHIAS": "ab hier!!!", "default_language": "de", "default_locale": "de", "force_language": "de", "force_locale": "de", "mail_smtpsecure": "ssl", "mail_smtpauthtype": "LOGIN", "mail_smtpauth": 1, "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "465", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***" } }

Client configuration

Browser:
IE, FF, Chrome
Operating system:

0. Needs triage bug users and groups

Source

yasuoiwakura

👍5

Most helpful comment

Yes, i see no reason to assume my users would want their mail adress revealed to each other.
I mean, I cannot see any of the github user's email (not even those who wrote in the same topic) and i guess there is a good reason it is private by default

yasuoiwakura on 23 Apr 2019

👍2

All 21 comments

what do you think @nextcloud/server-triage ?

violoncelloCH on 19 Apr 2019

Actually the default is contacts only:
https://github.com/nextcloud/server/blob/master/lib/private/Accounts/AccountManager.php#L308

nickvergessen on 19 Apr 2019

yes, but contacts means all other users on the same server plus trusted federation servers, doesn't it? I think that's the point of @yasuoiwakura...

violoncelloCH on 23 Apr 2019

👍1

yasuoiwakura on 23 Apr 2019

👍2

Any idea how to temporary fix or disable this leak? it is a real privacy problem for my users...

yasuoiwakura on 1 May 2019

Updated to NC16, still same problem.

btw. this information is false, since it claims that only administrators have access to my data:

https://cloud.domain.tld/index.php/settings/user/privacy

yasuoiwakura on 1 May 2019

Datas in this term are your files. The email address is also checked for sharing, so this is more of a general issue with a bigger impact on how all the things are handled and needs some more planing then a quick change on a setting

nickvergessen on 1 May 2019

👍1

Okay I just checked again and I was wrong.
If the email is set to private, you can not find users by their email address.

So I guess it boils down to the fact, that you registered (on a public instance) where "everyone on the cloud knows each other" is not a good sensitive default.
Maybe we should add an option for that, so admins can configure this.

nickvergessen on 2 May 2019

cc @rullzer @MorrisJobke what do you think about this?

nickvergessen on 2 May 2019

hm my current workaround is to  the contact list in the upper right corner.

imho, users should indeed be able to share files with other users/groups (should be defined by admin) without seeing their email.

yasuoiwakura on 2 May 2019

Workaround untill next update of NC to set default mode of email to private FOR NEW USER-REGISTRATION.

Edit in lib/private/Accounts/AccountManager.php

                        self::PROPERTY_EMAIL =>
                                [
                                        'value' => $user->getEMailAddress(),
                                        'scope' => self::VISIBILITY_CONTACTS_ONLY,
                                        'verified' => self::NOT_VERIFIED,
                                ],

                        self::PROPERTY_EMAIL =>
                                [
                                        'value' => $user->getEMailAddress(),
                                        'scope' => self::VISIBILITY_PRIVATE,
                                        'verified' => self::NOT_VERIFIED,
                                ],

This worked in my test-environment.

But i also want to set the value for allready registered users.. so i update the value in the database "oc_accounts" via:
UPDATE oc_accounts set data = json_set(data, "$.email.scope", "private")

This was not enough. mails are still shown.. so i dumped database before and after setting an email to private mode to diff them. and the result is, that email is also set in 'oc_cards' and 'oc_cards_properties'
editing those two databases seem to be more difficult =(

any idea?

demlak on 20 Nov 2019

👍1

So.. no solution to set globaly mailadress hidden for allready registered users?

demlak on 10 Dec 2019

So.. no solution to set globaly mailadress hidden for allready registered users?

issue still there and ignored in NC18.

Workaround that "hides" the problem without breaking code integrity:
activate https://github.com/juliushaertl/theming_customcss
Then goto Design => Custom CSS:

#contactsmenu{
visibility: hidden;
}

yasuoiwakura on 14 Feb 2020

Okay I just checked again and I was wrong.
If the email is set to private, you can not find users by their email address.

So I guess it boils down to the fact, that you registered (on a public instance) where "everyone on the cloud knows each other" is not a good sensitive default.
Maybe we should add an option for that, so admins can configure this.

Since i'm not a coder.. how difficult is it to make this an option for config.php?

demlak on 2 Mar 2020

So.. no solution to set globaly mailadress hidden for allready registered users?

issue still there and ignored in NC18.

Workaround that "hides" the problem without breaking code integrity:
activate https://github.com/juliushaertl/theming_customcss
Then goto Design => Custom CSS:
#contactsmenu{
visibility: hidden;
}

A less intrusive approach that is not breaking the autocomplete is simply hiding the mail icon:

div#contactsmenu.openedMenu div#contactsmenu-menu.menu div.content div#contactsmenu-contacts div div.contact a.top-action {
   visibility: hidden;
}

Still this is no real solution as the email address is still disclosed in the source code of the page.

jamasi on 15 Apr 2020

After digging deep into the model view controller ajax jquery stack I found this patch to close the data leak:

In nextcloud/lib/private/Contacts/ContactsMenu/ActionFactory.php edit the function that generates the email link to only generate blank links:

        public function newEMailAction($icon, $name, $email) {
                return $this->newLinkAction($icon, '', '');
        }

EDIT: An even better patch is to edit nextcloud/lib/private/Contacts/ContactsMenu/Providers/EMailProvider.php.
Change if (empty($address)) { to if (1) { so no mailto: links are generated anymore:

        public function process(IEntry $entry) {
                $iconUrl = $this->urlGenerator->getAbsoluteURL($this->urlGenerator->imagePath('core', 'actions/mail.svg'));
                foreach ($entry->getEMailAddresses() as $address) {
                        if (1) {
                                // Skip
                                continue;
                        }
                        $action = $this->actionFactory->newEMailAction($iconUrl, $address, $address);
                        $entry->addAction($action);
                }
        }

jamasi on 16 Apr 2020

❤1

Is this a duplicate from https://github.com/nextcloud/server/issues/6582?

tcitworld on 27 May 2020

not duplicate but related
more duplicate of this https://github.com/nextcloud/server/issues/6578

demlak on 27 May 2020

https://github.com/nextcloud/server/pull/20667 will provide a way to fix this with some config.php configuration.

tcitworld on 27 May 2020

👍1

The #CSS hack of @jamasi didn't worked for me, for I added the last part for talk support.

div#contactsmenu.openedMenu div#contactsmenu-menu.menu div.content div#contactsmenu-contacts div div.contact a.top-action, div.popovermenu ul li a.focusable[href^="mailto:"]  {
   visibility: hidden;
}

Still hopes the fix of @tcitworld gets embedded soon.

Dubidubiduu on 24 Oct 2020

The #CSS hack of @jamasi didn't worked for me, for I added the last part for talk support.

Be aware that CSS hacks do not stop nextcloud from exposing the email addresses of the other users. instead this little patch seems to work for me: https://github.com/nextcloud/server/issues/14959#issuecomment-614338855
Still a proper fix like in the mentioned PR will be most welcome. So one does not have to re-apply the patch after each update.

jamasi on 25 Oct 2020

Was this page helpful?

0 / 5 - 0 ratings