Nextcloud Talk leaks email addresses of other Nextcloud Users

[mritzmann]

Steps to reproduce

1. Disable Allow sharing with groups (/index.php/settings/admin/sharing)
2. Open Nextcloud Talk (/index.php/apps/spreed/)
3. Click on Create a new group conversation (Conversation name is not relevant)
4. Invite a group and click on Create conversation
5. A group conversation is created and opens
6. All group users are visible in the sidebar
7. The full name and email of every user are visible

Expected behaviour

Allow sharing with groups is disabled. Therefore, sharing with a group should not be possible.

Actual behaviour

Sharing with groups is possible even though the option Allow sharing with groups is disabled. In this way, the name and email address of each user is leaked. Writing to whole groups also allows spamming.

This is a problem for:

• Public Nextcloud which offer free accounts
• Providers who offer Nextcloud but rely on one or more shared Nextclouds for they users
• Schools, associations or other organizations that operate a Nextcloud, but whose users register with their own private and non-public email address (I am thinking of schools whose students are possibly registered with the private email)

Q: But the use can set his email address in the profile to private.
A: Yes, but most users are not aware of this. And the standard cannot be changed.

Q: The problem is not so big, the user has to guess the group name.
A: The groups in which the user is, is visible in the profile.

Q: Then you simply must not use groups.
A: Apps like preferred_providers and others are based on groups.

Q: Yes, but... I think this is a normal behavior of talk and a accepted risk.
A: Then a hint would be useful ☺️. Also, this is awkward because there is an extra option for this which does not work.

Talk app

Talk app version: 10.0.5

Custom Signaling server configured: no

Custom TURN server configured: no

Custom STUN server configured: no

Browser

Microphone available: yes

Camera available: yes

Operating system: Ubuntu

Browser name: Chrome

Browser version: 88

Browser log

not relevant

Server configuration

Operating system: Debian

Web server: Nginx

Database: MariaDB

PHP version: 7.4

Nextcloud Version: 20.0.6

List of activated apps:

$ php ~/www/occ app:list
Enabled:
  - accessibility: 1.6.0
  - activity: 2.13.4
  - bruteforcesettings: 2.0.1
  - cloud_federation_api: 1.3.0
  - comments: 1.10.0
  - contactsinteraction: 1.1.0
  - dashboard: 7.0.0
  - dav: 1.16.2
  - federatedfilesharing: 1.10.2
  - federation: 1.10.1
  - files: 1.15.0
  - files_pdfviewer: 2.0.1
  - files_rightclick: 0.17.0
  - files_sharing: 1.12.2
  - files_trashbin: 1.10.1
  - files_versions: 1.13.0
  - files_videoplayer: 1.9.0
  - firstrunwizard: 2.9.0
  - logreader: 2.5.0
  - lookup_server_connector: 1.8.0
  - nextcloud_announcements: 1.9.0
  - notifications: 2.8.0
  - oauth2: 1.8.0
  - password_policy: 1.10.1
  - photos: 1.2.3
  - privacy: 1.4.0
  - provisioning_api: 1.10.0
  - recommendations: 0.8.0
  - serverinfo: 1.10.0
  - settings: 1.2.0
  - sharebymail: 1.10.0
  - spreed: 10.0.5
  - support: 1.3.0
  - survey_client: 1.8.0
  - systemtags: 1.10.0
  - text: 3.1.0
  - theming: 1.11.0
  - twofactor_backupcodes: 1.9.0
  - updatenotification: 1.10.0
  - user_status: 1.0.1
  - viewer: 1.4.0
  - weather_status: 1.0.0
  - workflowengine: 2.2.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - user_ldap

Nextcloud configuration:

$ php ~/www/occ config:list system
The current PHP memory limit is below the recommended value of 512MB.
{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "20.0.6.1",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true
    }
}

Server log (data/nextcloud.log)

not relevant

[PVince81]

see nextcloud/server#23172, requires adding a new option in core to hide these in the contacts menu

[PVince81]

Allow sharing with groups

This option is specifically for the files app and about "sharing".
Creating a conversation doesn't qualify as "sharing".

This would require a new Talk option to also prevent creating group conversation with groups.
So probably this would mean only allowing creating public conversations without any participants and let the people join on their own.

[PVince81]

A similar ticket exists here #5039 but to limit participants that can be added to members of the same groups.

[mritzmann]

@PVince81 The issue nextcloud/server#23172 is a good start, but in my opinion it is not enough.

• The complete name (Full name) is also leaked. Issue Option to disable showing system email in avatars' contacts menu server#23172 does not address this.
• The Allow sharing with groups option is still not respected, which allows spam.

This option is specifically for the files app and about "sharing".
(..)
This would require a new Talk option to also prevent creating group conversation with groups.

I would appreciate it if there would be such a talk option.

[nickvergessen]

Restrict users to only share with users in their groups

Is the setting you are looking for. With that people can only add groups they are a member of.
So the thing missing is the endpoint respecting the Allow sharing with groups setting. But since the endpoint for group suggestions is in server anyway this is the wrong repo.

Also note that there is no "leaking" of Full names as there is no privacy on full names. If someone adds 2 people into the room they will always see their names independent from any setting.

[nickvergessen]

Correct code position for further reporting:
https://github.com/nextcloud/server/blob/d9015a8c94bfd71fe484618a06d276701d3bf9ff/lib/private/Collaboration/Collaborators/GroupPlugin.php#L56-L58

[mritzmann]

Also note that there is no "leaking" of Full names as there is no privacy on full names

Okay, I guess I have to accept that. That's okay.

> Restrict users to only share with users in their groups
Is the setting you are looking for. With that people can only add groups they are a member of.

I do not think that this option will help in this case. I would like to achieve that users can not write to groups. Not even their own.

• Because this leads to spam on shared installations
• Because this leaks email addresses of other users

Or in other words: Currently Nextcloud Talk cannot be used on shared installations for this reasons. Unless I'm missing something or this problem is accepted by the users and the person responsible for the installation. I am unsure how to proceed with this issue. From Nextcloud Talk's point of view, the problem is now known, the issue has been closed, and the risk has thus been accepted.

A few questions:

• Is Allow sharing with groups also an endpoint which is not available for Apps?
• If yes: Is it desired that I create an issue in nextcloud/server (so that the endpoint is made available) and then I report back here? Or is this something that Nextcloud Talk does not want to implement either way.

Don't get me wrong, currently it's no longer a problem for me. The Nextcloud Talk app is now simply disabled. But I think the issue could also be a problem for others who are not aware of it. If Nextcloud simply says "that's the way it is because that's the way it is" then that's okay with me.

[nickvergessen]

A few questions:

Regarding your questions, I think it's a bug in the code I posted in the comment above. It is not respecting that config.

Or in other words: Currently Nextcloud Talk cannot be used on shared installations for this reasons.

Well if you restrict sharing to own groups you can use it even as a hoster. Just make sure people that shouldn't know each others don't share a group 🤷🏼 This is how most universities use it

[mritzmann]

Just make sure people that shouldn't know each others don't share a group

In my case this is not possible because preferred_providers works with groups.

I think it's a bug in the code I posted in the comment above

Thanks for your time :-). I have created an issue accordingly.