Data breach incident addressed by Nextcloud following public alarm
In a recent development, the open-source cloud storage platform Nextcloud has been working diligently to address several critical bugs that surfaced after the release of version 31.0.0. These issues affected file editing authorization, internal connectivity, app store search, and container startup.
The first instance of peculiar activity was noticed by Mastodon user "Niels" in their Nextcloud server logs, following an upgrade to version 31.0.0. The root cause was a logic issue that triggered unnecessary requests from the Nextcloud server to the lookup server. German researcher Tobias Fiebig delved into the issue, and after discussions with Nextcloud's director of engineering, Andy Scherzinger, it was determined that a change made in February 2021 was responsible for this flurry of requests.
Nextcloud acted swiftly to fix the bug, disabling the lookup server on Saturday morning after receiving the report on Friday evening. Fortunately, no data was mistakenly exposed during this period. The team has also decided to opt for a hard-coded quick fix to disable the feature, as seen in this pull request.
To prevent such incidents in the future, Nextcloud will change the federated file sharing settings to off by default in upcoming releases. A warning popup will also be introduced for admins to ensure they are aware of this change. Moreover, the lookup server's follow-up requests will use HTTPS when available, and the logic will be changed to avoid sending requests when users have no data on the lookup server.
In response to the community's concerns about their data being stored on an external server, the Nextcloud team found these worries to be unjustified. The team encourages users to report issues responsibly to avoid alerting potential malicious actors.
As part of their ongoing efforts to improve, Nextcloud has also shipped the second release candidate of version 31.0.0 to users on Tuesday. The team is on track to issue the final release soon. The resolution approach for these issues typically involved releasing subsequent patch updates, such as 31.0.7 and 31.0.8, which fixed specific bugs related to these issues. Users were advised to upgrade to the latest patch version and apply any recommended configuration fixes to restore full functionality.
[1] The WOPI host not authorized errors when trying to open files for editing, leading to documents failing to load (version 31.0.0, noted in 31.0.7 as well). [2] Problems with Nextcloud reporting that it cannot connect to itself, causing services such as Nextcloud Talk to malfunction (reported in version 31.0.8). [3] Search in the Nextcloud app store's "Explore" section not working and returning no results despite working in other sections (noted in 31.0.7). [4] HTTP 502 errors where Nextcloud container services stay stuck in "Starting" status in All-in-One (AIO) container setups (general 31.x versions).
Read also:
- Senators pressure nominated leader of CISA on election security concerns, focus of agency highlighted
- Digital passwords come under pressure as major tech companies move towards strengthened security measures
- Blockaid's security services now integrated into D'CENT Wallet, enhancing Web3's safety measures.
- Osteoporosis: Factors Influencing Risk, Identification Methods, and Medical Interventions
