Privacy Issues: OwnCloud user email addresses should not be suggested when sharing with link

ocmdi · February 7, 2017, 11:33am

Hello,

I noticed that when sharing with a link, owncloud will suggest email address for all owncloud users that match a begins-with (or substring? - doesn't matter) of what is being typed. This is a privacy issue.

I don't think this should happen at all, but at a very minimum, it should only happen if "Restrict users to only share with users in their groups" is unchecked.

In my case the "Restrict users to only share with users in their groups" is checked". This is to prevent ownCloud from auto-completing usernames when sharing for users outside of their group - users that they shouldn't even know exist on the system. This seems to work as expected.

However, keeping user groups private from each other is broken by auto-completing the email address for any ownCloud user when sharing a link.

If this should go somewhere else (eg. on an issue/bug tracking site) please let me know.

Thanks.

UPDATE: Forgot to mention I am running ownCloud v 9.1.3 (stable)

hodyroff · February 7, 2017, 1:44pm

Fixed in 9.1.4

ocmdi · February 7, 2017, 4:00pm

@hodyroff - Thanks for pointing me to the Github issue.

However, I think there is a significant problem with how it was chosen to be implemented. Where can I / should I make comments about this to further explain? Here, or on Github?

Thanks.

anon81984126 · February 7, 2017, 4:51pm

At github within a new issue pointing to the old issue.

hodyroff · February 7, 2017, 4:52pm

Willing to listen either way Here is more free form - github is more formal. Your choice.

ocmdi · February 7, 2017, 4:57pm

@hodyroff

Thanks again for the reply. I'll try to explain here and see what you think.

First off, this is a summary of a current / working scenario that allows for privacy and convenience.

Set the following options:

"Allow username autocompletion in share dialog" = Enabled
"Restrict users to only share with users in their groups" = Enabled

Result:

Now you can have groups of users that are restricted to auto-complete on usernames that are members of their group(s). This gives the end user the auto-complete convenience AND it restricts auto-complete from giving away usernames of other ownCloud users that are not members of the group(s). Great!

Comments:

The only problem at this point is that you can defeat this privacy measure by using the "share via link" feature. In this case all email addresses and usernames are exposed - it's not restricted to the users in your group(s). This is the issue that needs to be resolved.

Problem with current solution to resolve this issue (The GitHub link you brought to my attention):

By using the single option "Allow username autocompletion in share dialog" to globally disable auto-complete it breaks the scenario described above. i.e. If "Allow username autocompletion in share dialog" is disabled, in the scenario above you cannot use autocomplete - even for users in your own groups.

The result is that you lose a ton of convenience for sharing inside of ownCloud (not having to type in full usernames) to restrict email address auto-completion for the share via link.

I don't think this good.

A Better solution:

Add a new admin option that specifically handles email auto-complete for the "Share via Link" feature. The 2 mandatory options would be:

1). Global enable for auto-complete (the way it works now - the default)
2). Global disable auto-complete

and/or possibly a 3rd option - A sub-option under the existing "Allow users to share via link" option

3). Restrict email auto-complete to users in thier groups

--

Please let me know if this doesn't make sense. I know it's a lot of reading. Sorry about that!

anon81984126 · February 7, 2017, 5:28pm

AFAIK those are email addresses from your address book / contacts, not the e-mail addresses from your group / ownCloud users.

hodyroff · February 7, 2017, 5:36pm

Correct. @ocmdi can you verify?

ocmdi · February 7, 2017, 6:12pm

Thank-you for working with me on this.

The email address definitely comes from the ownCloud users (the full, unfiltered list of users).

To confirm this I created a new user - "test", logged in and set the email to "test@test.com".

In a different browser (logged in as a different user) I refreshed the page and used the "share via link" feature. I entered the string "test" into the email address field and it suggested "test@test.com"

This is email is not used anywhere else.. it had to come from owncloud. As you can see in the attached screenshot, it even listed the owncloud username.

anon81984126 · February 7, 2017, 6:34pm

I can't confirm / reproduce this on a oC 9.1.4 instance with Allow username autocompletion in share dialog. If this is disabled the full username needs to be entered. enabled.

ocmdi · February 7, 2017, 6:46pm

Yes, but what you're describing is exactly the problem.

With the fix in OC 9.1.4, after setting "Allow username autocompletion in share dialog" to disabled, email addresses are no longer suggested in the "share via link" option. OK - This is great. I agree that this is the desired result...

However, the unintended consequence by implementing it this way is that now usernames are also no longer suggested where you actually want them to be suggested (i.e. as in the scenario I described above - sharing within a group and being able to use auto-complete with usernames restricted to those users in your group). This functionality is now broken.

Because of the way this was implemented it's all or nothing. This is what I'm saying is not a good idea.

You should be able to disable auto-complete for email addresses in the "Share via link" option, but not have to disable auto-complete everywhere else in ownCloud where it's working fine / not causing a privacy issue.

anon81984126 · February 7, 2017, 6:49pm

My setting is enabled not disabled

Edit Seems you have to untick and tick the checkbox again to get the behavior you're observing.

ocmdi · February 7, 2017, 8:07pm

Interesting. I'm not sure when I unchecked / checked the box for "Allow username autocompletion in share dialog" (checked by default I think, right?). I think in my case the order of events / testing was:

1). Setup new users in groups
2). Test to see if users could get username auto-complete help for users that were not in their groups. Yes, they could (bad, for me anyway)
3). Enable the "Restrict users to only share with users in their groups" and test again. Now the users cannot get username auto-complete help for users that are not in their groups (great!)
4). let some time pass, thinking that everything is good in the world
5). Use the "share as link" feature and realize that email/usernames are being autocompleted based on the entire ownCloud user lists

At this point I may have have unchecked / checked the "Allow username autocompletion in share dialog" admin feature. Not sure if I did this earlier.

In any case, do you agree with the behaviour I've described? And, if you do, do you think I should open an issue on GitHub?

hodyroff · February 8, 2017, 8:18am

Yes. Please describe desired versus expected behaviour and reproduction. I am not sure I understood yet what is now missing. Maybe I do: Autocomplete off means that now also the autocomplete inside the group does not work anymore? In this case with % or space you can get the full list of users available to you I think.
But we will check it based on the github enhancement request.

ocmdi · February 8, 2017, 1:50pm

Ok. I just created a GitHub issue here. I tried to keep it consice, but I'm afraid it's too wordy. If I was a developer I think I'd be looking for things to be explained in less words!

anon81984126 · March 25, 2017, 10:26am

Seems that was a bug in the previous implementation which got fixed in the next oC versions: