App stores client secret unencrypted in database

Disclosed: 2023-08-23 14:56:00 By rullzer To nextcloud

Low

Vulnerability Details

To identify the nextcloud server need to have the client id and the client secret. The id is public but the secret is not. Currently this is stored in plain text in the database. Here you can't use hashing as you need the actual value. But Nextcloud should at the very least make sure that this data is properly encrypted at rest in the database. ## Impact An attacker that obtains read only access to (a snapshot of) the database can impersonate the Nextcloud server without issues

Actions

View on HackerOne

Report Stats

Report ID: 1994328
State: Closed
Substate: resolved
Upvotes: 3

App stores client secret unencrypted in database

Vulnerability Details

Actions

Report Stats

Share this report