Credentials potentially leaked to other configured ownCloud instance

Aug 3, 2015

Description

A bug in the ownCloud iOS application below version 3.4.4 may leak credentials as well as cookies used for authentication purposes to other configured ownCloud instances.

Specifically, the ownCloud iOS application allows users to connect to multiple ownCloud instances offering an easy way to switch between different accounts on different instances. An user may for example configure their hosted ownCloud by a third-party provider as well as their company ownCloud instance.

In some cases when switching the accounts in the iOS applications the application is not properly handling the state switch and will continue to send the previous authentication headers to the other instance. Thus a malicious administrator on another configured ownCloud instance may gain access to the user’ credentials on the other instance.

Affected Software

  • ownCloud Mobile < iOS 3.4.4 (CVE-2015-5955)

Action Taken

The iOS application is now properly handling credentials as well as cookies and will send these only to the correct domains.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. () – Vulnerability discovery and disclosure.