The Register: Nextcloud puts out fire after data leak panic

Mar 13, 2025

—

Source URL: https://www.theregister.com/2025/03/13/nextcloud_data_leak_scare/
Source: The Register
Title: Nextcloud puts out fire after data leak panic

Feedly Summary: Community calls for off-by-default data sharing setting
Open source software biz Nextcloud issued fixes to its software this week after bug hunters raised concerns about data collection.…

AI Summary and Description: Yes

Summary: Nextcloud has addressed a critical bug involving unnecessary user data requests following a recent software upgrade. Despite initial concerns about user data collection, the company confirmed that data was not stored without user consent, and the issue was linked to a communication logic error. They are taking steps to enhance user privacy through future updates.

Detailed Description: The recent update from Nextcloud regarding a bug in their software serves as a significant case study in the realms of information security and privacy. Nextcloud’s response to a bug that raised alarms about user data collection highlights the importance of vigilance in software security for open-source applications, especially those that emphasize user privacy.

Key points from the incident include:

– **Incident Discovery**: The issue was first noted by a Mastodon user after upgrading to version 31.0.0, who observed unusual activity in their server logs.

– **Initial Concerns**: Users were worried about potential non-consensual data collection, as it seemed that Nextcloud was enumerating all local users.

– **Developer Investigation**: Dutch researcher Tobias Fiebig collaborated with Nextcloud’s director of engineering to investigate the root of the problem, which stemmed from a logic error introduced in a prior release.

– **Data Security Assurance**: Nextcloud developers confirmed that user data was not stored unless users opted in explicitly. The issues were tied to a “logic issue” causing unintended requests between the Nextcloud server and a lookup server due to changes made for data clean-up.

– **Actions Taken**:
– The Nextcloud team quickly fixed the issue by disabling the lookup server for all users to prevent excessive requests and logging.
– They reassured users that no data was inadvertently exposed and highlighted their commitment to user privacy.
– The company has implemented a responsible reporting system via HackerOne for bugs, incentivizing with a bug bounty.

– **Future Mitigations**: Nextcloud plans to change federated file sharing settings to “off” by default and will include warning popups for administrators in upcoming updates to address user awareness regarding data sharing.

– **Timeline of Response**: From the discovery of the concern to disabling the affected feature, Nextcloud acted swiftly to retain user trust.

This incident emphasizes the essential nature of security in software, particularly for organizations focused on privacy-centered solutions. The proactive measures Nextcloud is taking can serve as a model for other companies dealing with similar issues in software security and user data protection.

1 2 3 5 a Act actions administrators after AI and Application applications Arch ARM art as assurance awareness bias Bug bug bounty bug hunters bugs by C centered CERN CIA Cloud Cloud Act cloud server Col communication community companies concerns Consent critical D data data collection data leak Data Protection data requests data security data security assurance data sharing de developer developers e end Engineer engineering error event exp fault feature file sharing first fixes focused for future g GIS grade grading gs H hack hacker high Highlight HR http HTTPS in incident information information security investigation IRS ite k Key l Labor led Li Link linked lm local logging logic logs low Mila mini mitigation mitigations Mode model N next Nextcloud NIST no non o of off on one open open-source open-source applications open-source software opt organization organizations out over panic point porting potential pre privacy proactive proactive measures problem protection QUIC R rate RCE real red release report reporting research response responsible Ro Root RoT Rust s search sec security server settings SHA sharing Sig Sim software software security solutions source source software SSE STIG study Swift system T the Time to Tor TP trust UI up update updates upgrade ups US use user User Awareness user consent user data user data collection user data protection user privacy user trust Users V version vigilance Ware Wi x