From Folder Sharing to Data Exposure

4 min read
Web SecurityNextcloudBusiness Logic Error
From Folder Sharing to Data Exposure

Introduction

As a team with Armend, Arjanit in the Nextcloud platform, we discovered a business logic vulnerability, enabling any authenticated user to access and alter notes created by other users, including administrators, through a folder-sharing exploit.

How It Began

While exploring Nextcloud's Notes app, which stores user notes in a designated "Notes" folder, I investigated its interaction with the platform's folder-sharing feature. This feature allows users to share folders for collaboration. I found that the Notes app failed to validate the ownership of shared folders, allowing notes to be stored in a folder controlled by another user.

The Vulnerability

The vulnerability (CVE-2024-37317) was a business logic error in the Notes app's integration with the sharing mechanism. When I created a folder named "Notes" and shared it with another user (e.g., an admin), the Notes app incorrectly stored their notes in my shared folder without validating ownership or permissions. This allowed me to read and potentially modify their notes, bypassing intended access controls.

The flaw stemmed from the app's assumption that notes would always be stored in a user's own "Notes" folder, failing to account for shared folders with the same name.

Exploitation Steps

The exploitation process was simple:

  1. Log in to Nextcloud as a low-privileged user.
  2. Create a folder named "Notes" in my account.
  3. Use the share button to search for the target user's username (e.g., an admin).
  4. Share the "Notes" folder with the target user, granting them access.
  5. Notice that any notes created by the target user in the Notes app are stored in my shared "Notes" folder, accessible to me.

Proof of Concept

A video demonstrating the exploit is available:

Why This Mattered

This business logic error had serious implications:

  • Unauthorized Access: As a low-privileged user, I could access sensitive notes of other users, including administrators.
  • Data Manipulation: I could potentially modify or delete notes in the shared folder.
  • Privacy Breach: The flaw compromised the confidentiality of user notes, exposing sensitive information.

The exploit was easy to execute, requiring only a standard user account and the target's username, posing a critical risk to any Nextcloud instance with the Notes app enabled.

Disclosure Timeline

  • November 15, 2023: I identified and reported the vulnerability via Nextcloud's bug bounty program (HackerOne report #2254151).
  • November 16, 2023: Nextcloud confirmed the issue.
  • April 3, 2024: Patch released with improved validation for shared folders.

References

Conclusion

This vulnerability in Nextcloud's Notes app allowed me to obtain and modify user notes through improper handling of shared folders. I commend the Nextcloud team for their swift response and resolution. Administrators should update to the latest version, monitor folder-sharing activities, and consider disabling the Notes app if not essential.

Disclosed responsibly through the Nextcloud bug bounty program.