Nextcloud Talk leaks email addresses of other Nextcloud Users #5047
Description
Steps to reproduce
- Disable
Allow sharing with groups(/index.php/settings/admin/sharing) - Open Nextcloud Talk (
/index.php/apps/spreed/) - Click on
Create a new group conversation(Conversation nameis not relevant) - Invite a group and click on
Create conversation - A group conversation is created and opens
- All group users are visible in the sidebar
- The full name and email of every user are visible
Expected behaviour
Allow sharing with groups is disabled. Therefore, sharing with a group should not be possible.
Actual behaviour
Sharing with groups is possible even though the option Allow sharing with groups is disabled. In this way, the name and email address of each user is leaked. Writing to whole groups also allows spamming.
This is a problem for:
- Public Nextcloud which offer free accounts
- Providers who offer Nextcloud but rely on one or more shared Nextclouds for they users
- Schools, associations or other organizations that operate a Nextcloud, but whose users register with their own private and non-public email address (I am thinking of schools whose students are possibly registered with the private email)
Q: But the use can set his email address in the profile to private.
A: Yes, but most users are not aware of this. And the standard cannot be changed.
Q: The problem is not so big, the user has to guess the group name.
A: The groups in which the user is, is visible in the profile.
Q: Then you simply must not use groups.
A: Apps like preferred_providers and others are based on groups.
Q: Yes, but... I think this is a normal behavior of talk and a accepted risk.
A: Then a hint would be useful
Talk app
Talk app version: 10.0.5
Custom Signaling server configured: no
Custom TURN server configured: no
Custom STUN server configured: no
Browser
Microphone available: yes
Camera available: yes
Operating system: Ubuntu
Browser name: Chrome
Browser version: 88
Browser log
Details
not relevant
Server configuration
Operating system: Debian
Web server: Nginx
Database: MariaDB
PHP version: 7.4
Nextcloud Version: 20.0.6
List of activated apps:
Details
$ php ~/www/occ app:list
Enabled:
- accessibility: 1.6.0
- activity: 2.13.4
- bruteforcesettings: 2.0.1
- cloud_federation_api: 1.3.0
- comments: 1.10.0
- contactsinteraction: 1.1.0
- dashboard: 7.0.0
- dav: 1.16.2
- federatedfilesharing: 1.10.2
- federation: 1.10.1
- files: 1.15.0
- files_pdfviewer: 2.0.1
- files_rightclick: 0.17.0
- files_sharing: 1.12.2
- files_trashbin: 1.10.1
- files_versions: 1.13.0
- files_videoplayer: 1.9.0
- firstrunwizard: 2.9.0
- logreader: 2.5.0
- lookup_server_connector: 1.8.0
- nextcloud_announcements: 1.9.0
- notifications: 2.8.0
- oauth2: 1.8.0
- password_policy: 1.10.1
- photos: 1.2.3
- privacy: 1.4.0
- provisioning_api: 1.10.0
- recommendations: 0.8.0
- serverinfo: 1.10.0
- settings: 1.2.0
- sharebymail: 1.10.0
- spreed: 10.0.5
- support: 1.3.0
- survey_client: 1.8.0
- systemtags: 1.10.0
- text: 3.1.0
- theming: 1.11.0
- twofactor_backupcodes: 1.9.0
- updatenotification: 1.10.0
- user_status: 1.0.1
- viewer: 1.4.0
- weather_status: 1.0.0
- workflowengine: 2.2.0
Disabled:
- admin_audit
- encryption
- files_external
- user_ldap
Nextcloud configuration:
Details
$ php ~/www/occ config:list system
The current PHP memory limit is below the recommended value of 512MB.
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"***REMOVED SENSITIVE VALUE***"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "20.0.6.1",
"overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true
}
}
Server log (data/nextcloud.log)
Details
not relevant