Bypassing lock protection
Discovered by doragon on Nextcloud

This issue took 15 Days and 21 hours to triage and 124 Days and 0 hours to resolve once triaged.



Nextcloud allows multi account within the android client app and relies on a single lock

Based on the (exposed) intent nc://login, it is possible to add a new account under attacker domain and open the Nextcloud without the lock check.

Proof of concept

  1. open the NC app with the lock displayed
  2. triggers the following intent adb shell am start -a android.intent.action.VIEW -d "nc://login/server:MY_SERVER\&user:ME\&password:PWD --es "ACCOUNT" "not_valid"
  3. if the "add an account" action fails, attacker can still add an account in the screen the app opens and attacker can check other accounts installed on the app.

Remark

note that the "adb shell" comamnds could also be trigger with an app, making adb access not required the "--es" option is required to prevent an app crash on

 AuthenticatorActivity.java:303
  mAccount = getIntent().getExtras().getParcelable(EXTRA_ACCOUNT);

Impact

Lock can be removed and then data can be retrieved / alter / uploaded