RainLoop app security hole

I’m not sure if security issues should be commented in public, but since the original warning is public… Well, if you want to delete this post after you have read it, it’s ok.

So, have a look here, 2nd commentary, and also a look to the Github link in it:
https://apps.nextcloud.com/apps/rainloop

I don’t mind if I have to log in separately as long as my account isn’t going to be so vulnerable.

BR

Thanks for reporting.

I’ve disabled autologin in rainloop (webmail) now, and poked other nextcloud hosters around. We’ll keep an eye on this issue and try to point some developers at it hoping someone implements a fix soon.

Additionally we have now removed all the in-securely encoded passwords form the databse just in case this could be exploited by external attacker or someone (like even disroot admins) with access to the server.

Many thanks for your rapid reaction. Would you recommend the users to change their passwords, just in case?

Appendix:
Did you solve that [problem with [reasonably] secure passwords or if we change them should stick to only ANSII passwords? I am, sincerelý, no exaggerations, afraid to change it and lose my account again as I did before because of the commented bug :-/

Ok, this is scary. I’ve changed my password, no non-latin characters, the process has been completed without issues. I can log in my account, like this message demonstrates, but I can’t open any of my files. I always get this message:

Private Key missing for user: please try to log-out and log-in again

I log out and then in, but things remain the same: all my encrypted files are lost; I can see them, in the Files application, but can’t open any.

At the top of the page there’s a floating banner with the following message:

Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files.

Are they lost forever or there’s a way to recover them? Maybe restoring the old password? The message talks about “upgrading”, but I don’t know how a password can be “upgraded” (password 1.1, 2.0… WTF?)
If my files are still recoverable this is a not so grave bug, but still a but, and a real showstoppr, but if my files are lost forever it’s indeed a very important bug, I believe. :worried:

Hi. This is normal. All files on the cloud are encrypted with a key generated form your user password. When you change the password, you need to update the key on the cloud, otherwise your data is lost. This of course makes sense. If you loose your password you loose the access to the files. However if you remember your previous password, you need to update it, just as specified in:
https://howto.disroot.org/basics/how-to-change-your-disroot-user-password

we also state it on: https://disroot.org/services/nextcloud

I dont think that’s needed, though of course it should be up to people to decide for themself. It’s more about storing the password in the database rather then exploit. Of course anyone with access the database (admins) could recover the passwords, so if you dont trust us, yes you should change the password. We are still checking whether our understanding (that this couldn’t be executed from remote location) is correct, and of course we will inform all the users if there is a reason to.

nope. not yet :frowning:

Well, this is embarrassing… :sweat_smile:

I went to https://user.disroot.org/pwm-disroot/private/changepassword ahead supposing that all the process would be automatic, sorry. The worst part is that I had already seen your advice about password changes some weeks ago, but forgot about it completey :sweat:
I have followed now the instructions in https://howto.disroot.org/basics/how-to-change-your-disroot-user-password and everything is right again. Sorry for bothering.

Nevertheless I’d like to suggest that you might add some warning, and perhaps the howto link above, because human memory is crappy and malfunctioning, like i myself can witness :grin: An advice in the very same page where one goes to change his password would refresh our memories and ilustrate those ones who may have not read you perfectly clear statement and howto.

Thanks for your help once more :slight_smile: