-
Notifications
You must be signed in to change notification settings - Fork 435
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nextcloud Talk leaks email addresses of other Nextcloud Users #5047
Comments
see nextcloud/server#23172, requires adding a new option in core to hide these in the contacts menu |
This option is specifically for the files app and about "sharing". This would require a new Talk option to also prevent creating group conversation with groups. |
A similar ticket exists here #5039 but to limit participants that can be added to members of the same groups. |
@PVince81 The issue nextcloud/server#23172 is a good start, but in my opinion it is not enough.
I would appreciate it if there would be such a talk option. |
Is the setting you are looking for. With that people can only add groups they are a member of. Also note that there is no "leaking" of Full names as there is no privacy on full names. If someone adds 2 people into the room they will always see their names independent from any setting. |
Correct code position for further reporting: |
Okay, I guess I have to accept that. That's okay.
I do not think that this option will help in this case. I would like to achieve that users can not write to groups. Not even their own.
Or in other words: Currently Nextcloud Talk cannot be used on shared installations for this reasons. Unless I'm missing something or this problem is accepted by the users and the person responsible for the installation. I am unsure how to proceed with this issue. From Nextcloud Talk's point of view, the problem is now known, the issue has been closed, and the risk has thus been accepted. A few questions:
Don't get me wrong, currently it's no longer a problem for me. The Nextcloud Talk app is now simply disabled. But I think the issue could also be a problem for others who are not aware of it. If Nextcloud simply says "that's the way it is because that's the way it is" then that's okay with me. |
Regarding your questions, I think it's a bug in the code I posted in the comment above. It is not respecting that config.
Well if you restrict sharing to own groups you can use it even as a hoster. Just make sure people that shouldn't know each others don't share a group 🤷🏼 This is how most universities use it |
In my case this is not possible because preferred_providers works with groups.
Thanks for your time :-). I have created an issue accordingly. |
Steps to reproduce
Allow sharing with groups
(/index.php/settings/admin/sharing
)/index.php/apps/spreed/
)Create a new group conversation
(Conversation name
is not relevant)Create conversation
Expected behaviour
Allow sharing with groups
is disabled. Therefore, sharing with a group should not be possible.Actual behaviour
Sharing with groups is possible even though the option
Allow sharing with groups
is disabled. In this way, the name and email address of each user is leaked. Writing to whole groups also allows spamming.This is a problem for:
Q: But the use can set his email address in the profile to private.
A: Yes, but most users are not aware of this. And the standard cannot be changed.
Q: The problem is not so big, the user has to guess the group name.
A: The groups in which the user is, is visible in the profile.
Q: Then you simply must not use groups.
A: Apps like preferred_providers and others are based on groups.
Q: Yes, but... I think this is a normal behavior of talk and a accepted risk.☺️ . Also, this is awkward because there is an extra option for this which does not work.
A: Then a hint would be useful
Talk app
Talk app version: 10.0.5
Custom Signaling server configured: no
Custom TURN server configured: no
Custom STUN server configured: no
Browser
Microphone available: yes
Camera available: yes
Operating system: Ubuntu
Browser name: Chrome
Browser version: 88
Browser log
Server configuration
Operating system: Debian
Web server: Nginx
Database: MariaDB
PHP version: 7.4
Nextcloud Version: 20.0.6
List of activated apps:
Nextcloud configuration:
Server log (data/nextcloud.log)
The text was updated successfully, but these errors were encountered: