How a Shared Folder Led to Full Account Access in Nextcloud

5 min read
Web SecurityNextcloudBusiness Logic Error
How a Shared Folder Led to Full Account Access in Nextcloud

Introduction

As you know from other posts about Nextcloud, this time I found a vulnerability that leads to account takeover. This vulnerability allowed any user with a basic account to bypass restrictions on sharing external storage, capture victims’ JWT token, and take full control of their accounts. I reported it through Nextcloud’s bug bounty program, and the issue has since been fixed.

What is External Storage in Nextcloud?

Nextcloud’s External Storage feature allows users to connect to files on services like Google Drive, Dropbox, SFTP, or SMB shares, accessing them directly in the Nextcloud interface. Admins can configure it system-wide, or users can link their own accounts. It makes remote files feel like local ones, simplifying access and management.

How I Found It

While testing the External Storage Support app, I noticed a flaw in the sharing mechanism. When a user accesses external storage, the platform automatically sends an HTTP GET request, including the victim’s Authorization Bearer token (JWT) in the header. This could be exploited if the storage pointed to a malicious server. The app failed to validate shared storage types, allowing me to set up an external storage using my Burp Collaborator Server and capture the victim’s JWT when they accessed it.

The Vulnerability

This high-severity vulnerability (CVE-2023-35928) stemmed from weak validation in Nextcloud’s sharing API for external storage. The system didn’t restrict sharing of non-supported storage types, so a low-privileged user could share a crafted path (e.g., "/TEST#") with another user, like an admin. When the victim accessed the shared storage, Nextcloud sent an HTTP GET request with their Authorization Bearer token to the attacker’s server, exposing their JWT. This token could be used to authenticate as the victim, leading to full account takeover.

The issue was caused by the API’s failure to validate external storage paths and the automatic inclusion of the victim’s JWT in requests.

Exploitation Steps

The exploit was straightforward:

  1. Log in as an admin in one browser to enable the "External Storage Support" app from the Apps menu.

  2. In a private browser, log in as a low-privileged user and create an external storage pointing to my Burp Collaborator Server to capture the victim’s JWT.

  3. Send an HTTP POST request to share the malicious external storage path:

    POST /ocs/v2.php/apps/files_sharing/api/v1/shares HTTP/1.1
Host: 127.0.0.1:8090
Content-Length: 102
Accept: application/json, text/plain, */*
requesttoken: pquTDJ2tXhdmQTw7Z5FajyvY9KuBsaGdwyKIHPRDH44=:9eegNbLGKnYMbhcPLPUP5R7qpNzUmvP1plaxUJ0UfMQ=
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: --REDACTED--
Connection: close

{"path":"/TEST#","permissions":31,"shareType":0,"shareWith":"admin","password":null,"attributes":"[]"}

  4. When the target user (e.g., admin) accesses the shared storage, an HTTP GET request is sent to the Burp Collaborator Server, including the victim’s JWT token.

HTTP GET Request with Leaked Authorization Bearer Token

Figure 1: HTTP GET Request with Leaked Authorization Bearer Token

Impact

How It Leads to Account Takeover

The stolen JWT token is a game-changer for attackers. This token, used by Nextcloud for authentication, grants the same access as the victim’s account. If the victim is an admin, I could use the JWT to log in as them, gaining full control over the Nextcloud instance. This includes accessing all files, modifying user settings, or even creating new accounts. For regular users, the token still allows access to their private data, enabling impersonation and potential escalation to higher privileges by chaining with other vulnerabilities.

Disclosure Timeline

  • May 9, 2023: I identified and reported the vulnerability through Nextcloud’s bug bounty program (HackerOne report #2254151).
  • May 9, 2023: Nextcloud confirmed the issue.
  • May 25, 2023: Patch released with improved validation for external storage sharing.

References

Conclusion

This high-severity flaw in Nextcloud allowed me to steal JWT tokens and access sensitive data by exploiting weak API validation. I’m grateful for the Nextcloud team’s quick response in fixing this issue. Admins should update to the latest version, review external storage settings, and disable the "External Storage Support" app if not needed.

Disclosed responsibly through the Nextcloud bug bounty program.