search

nextcloud / end_to_end_encryption

:closed_lock_with_key: Server API to support End-to-End Encryption
https://apps.nextcloud.com/apps/end_to_end_encryption
GNU Affero General Public License v3.0
275 stars 34 forks source link

When moving a file to encrypted folder it is placed in the trash bin, and its copy is placed in an encrypted folder #423

Open ostasevych opened 1 year ago

ostasevych commented 1 year ago

I found a security breach in the algorithm of encrypting files with E2EE algorithm. Let's assume, you have had some sensitive data, which have been stored amongst your Documents. You have decided to secure them, created encrypted folder and moved the sensitive files there. So, you assume, that the files with sensitive data exactly have been moved, but NO: a new encrypted copy have been created in the secured folder, while the original files have been placed in the trash bin. So, you may restore it again and have it in the folder where they have come from.

In my opinion, this may be a serious security issue, as those who have access to the server may easily go to the trash bin and find the copy of the file, which you expect is secured by placing in your encrypted folder.

What should be done: the content of the file should be really encrypted, and there shouldn't be any traces which may be used for its restoring.

ostasevych commented 1 year ago

The same behaviour happens at the level of OS. Let's say I create some text file in the secured folder. And afterwards I decided to erase it. Surpisingly you will find it in your trash bin, and you may manually read or restore that file unencrypted. In my opinion that is another level of security breach. The file should either stay in the encoded state or erased completely from your file system.

kesselb commented 1 year ago

Hi @ostasevych,

Please submit your findings to our security team: https://hackerone.com/nextcloud.

joshtrichards commented 12 months ago

So, you assume, that the files with sensitive data exactly have been moved, but NO: a new encrypted copy have been created in the secured folder, while the original files have been placed in the trash bin. So, you may restore it again and have it in the folder where they have come from.

What client? This is handled by the clients, not handled by the e2ee app. The only trash bin handling the e2ee app does on the server is disable the trash bin for encrypted folders.

I'll point out that this data was already cleartext so this isn't exposing previously encrypted data, but I can see how the behavior might but unexpected/undesirable.

The same behaviour happens at the level of OS. Let's say I create some text file in the secured folder. And afterwards I decided to erase it. Surpisingly you will find it in your trash bin, and you may manually read or restore that file unencrypted. In my opinion that is another level of security breach. The file should either stay in the encoded state or erased completely from your file system.

Created a text file how? The trash bin is entirely disabled for encrypted files. This can only happen if the file isn't actually encrypted to start with. Was it something like nextcloud/text#5168 where the text file wasn't even encrypted to began with?