Security Issue: Thumbnails of pictures are not encrypted (default encryption module) #1967
Comments
|
This a funny way to handle encrypted files. So please make it a feature request. What is it good for to encrypt files while exposing the content in thumbnails, especial for pictures! |
Reference: https://github.com/nextcloud/server/blob/master/.github/CONTRIBUTING.md Please Report security issues/bugs in the future the way described abvove 😉 THX 🙈 ... this was not relevant for this ticket, but it may be for your future reports, i'd love to see in our great Nextcloud community ...I see your point, and this may be something to be considered. ping @LukasReschke for telling us more about the technical reason (I think its about performance and caching) of this restriction and if there are ways to "fix" it 🤔 |
"The primary purpose of the Nextcloud server-side encryption is to protect users’ files on remote storage, such as Dropbox and Google Drive, and to do it easily and seamlessly from within Nextcloud." (from https://docs.nextcloud.com/server/10/admin_manual/configuration_files/encryption_configuration.html?highlight=encryption) It is at the moment not aimed at protecting your data at rest on the local server. There are issues open about that though. But it's always the matter of someone doing the change ;) |
|
There is the same issue on owncloud. I thought nextcloud would have fixed this issue since it claims that it is "very secure" (A+ rating rather than A rating in your scanner) and found this thread handling it the same way as owncloud. Could not find any open issue regarding this here. Is some progress made here or will it leaved as it is? Thanks. |
|
I support that! I use the encryption to have an additional protection of my data on the server. Leaking the thumbnails is a hugh bummer. |
|
I support this, too. Nextcloud has per-user encryption (disabled master key), which is useful when you don't want to write unencrypted files to your hard drive for whatever reason (hard drive might be confiscated, server might expire before you had a chance to wipe the drive, client requires it, using network file storage that acts as local storage, just because you can,..), but the unencrypted thumbnails ruin it. While you can disable thumbnails, it is obviously not a very elegant solution. |
|
I want to re-open this issue. I am using nextcloud currently without thumbnails and per-user encryption. Would love to use thumbnails one day. Thumbnails could be stored in a .thumbnails folder in the root folder of each user. When sharing a file with other users, the thumbnail can be shared with it. When unsharing a file, the thumbnail should be unshared as well. Thanks! |
Bug report:
Security Issue: Thumbnails of pictures are not encrypted (default encryption module)
Steps to reproduce:
Activate default encryption module also for user folders
Upload pictures into user folder
View them with gallery
Access nextcloud data-folder on Server via sftp or ssh
View the thumbnails without decrypting routines.
Expected behavior:
In case of user folder data encryption module turned on, I would expect that all thumbnails generated should be encrypted on the server, too.
Actual behaviour:
Thumbnails and Diashows are stored unencrypted on server in data-folder.
Server configuration:
Operating system: Webspace
Web server: Webspace
Database: MySQL
PHP version: 7
cloud server: Nextcloud 10.0.1
cloud version: (see admin page or version.php)
Updated from an older installation or fresh install: Updated from Nextcloud 9
See closed issue nextcloud/galery#167
The text was updated successfully, but these errors were encountered: