According to a recent blog published by security specialist Hanno Boeck and to a report published in Golem, use of the bug report function on Github has resulted in the potential publication of passwords by different users. When you fill out a bug report with ownCloud, you are asked for the contents of your configuration file, and in several cases, this has resulted in the inadvertent reporting of safety-relevant information.
ownCloud is responding to this problem with a cleanup of all issuesm a weekly scan, as well as a clearer security warning, which warns against recording sensitive information in the report.
Additionaly we want to emphasise the graphic Config Report that is already in use for ownCloud customers. Since ownCloud 9.1.4 this is available for everybody.
Although the form already contained a warning to remove passwords or other relevant data before sending it, these inadvertent publications have increased, and the data has subsequently become publicly accessible to Github. Particularly critical are passwords for SMTP access to mail servers.
Intensive Monitoring and Clear Indications
Using the API provided by Github, the ownCloud developers have scanned all relevant issues and have explicitly scanned passwords included in the reports. Across all repositories, 553 passwords could be found and have been removed manually. To counteract the problem more proactively, the previously mentioned information that no sensitive data was entered was once again emphasized more clearly. In addition, ownCloud will perform the automated scan once a week from now on.
With the Config Report, which is available both graphically as ownCloud App, but also via the command line, there is a simple and comfortable way to provide the configuration of the system for the reporting of issues without issuing any security-relevant information. These are automatically removed.
Users who have completed bug reports are advised to make a precautionary change to their passwords. If you have any questions, you can contact your ownCloud Support at any time.