SECURITY BUG - encryption


#1

cant download encrypted libraries that somebody shared with me. 6.2.2.
cannot on android, cannot on windows. running seafile on rpi.
it sais download failed. nothing else. it doesnt even ask for password.

when i log in to web client and try to download that encrypted library, it doesnt even ask for password, it just starts download. this is major fail.


#2

https://manual.seafile.com/security/security_features.html
When you are browsing encrypted libraries via the web browser or the cloud file explorer, you need to input the password and the server is going to use the password to decrypt the “file key” for the library (see description below) and cache the password in memory for one hour.


#3

indeed it should, bit it never did. i logged to my account on pc, entered seafile library password. i logged out, logged as other accout and could access the same library forectly without entering the password again.


#4

Yes, it is. It looks like once an encrypted library is unlocked through the web interface (or phone clients), the ‘file key’ will be kept in the server memory for 1 hour. During this periodic, no matter which account (including the shared one) accesses this library, it won’t ask for the password. I think this is by design.


#5

This design is major security fail then


#6

Making noise regarding this. What is your professional background if I may ask?


#7

Internet software and security advice. if you read the post from the beginning, u can see thqt i accidentally discovered this, without intention.


#8

If you access this library via web and you enter the password it will be cached on the server for one hour, and because of this, you can access the library with another user without typing in the password again.


#9

i reproduced this bug, just dont tell me im the only one with this behavior.

  1. i create encrypted library
  2. i share it to user2
  3. i see the library in android client
  4. i reboot the server and in android client, where is logged user2 i delete library password from preferences menu
  5. i click on encrypted shared library as user2 in android client and it DOENST ASK FOR PASSWORD!!!
    I can simply browse filesystem, but i cannot download files.

so to me this looks like the noise should be made, shouldnt it?


#10

OK, I got your point now.
It looks to me this is your android client’s problem. Is it the latest version?
I just conducted a test on an Android device (fresh install version 2.2.1 from Google play store), trying to open an encrypted library that is never opened on this device before and not opened in the web-interface in past 1 hour. It DOES ask me for password.

Note that without a password, the file tree of an encrypted library may still be browsed because it is not encrypted (https://manual.seafile.com/security/security_features.html). However, the content cannot be downloaded. So I suspect what happens here is the android client fail to detect this is an encrypted lib, open it as a normal lib, show the file tree, but fail to download the file content.


#11

thank you very much:)

so i have the latest version. i also let all the app data vanish from android app settings. i see that it might be bug just here at my device, but please conclude one more test - try this with library that some1 shared with you and that is encrypted. it does not ask me for password, it lets me browse files (imo security goodbye) and it doesnt let me open files. both in android client and windows client. both latest version, server 6.2.2.

i suspect your suspicion might be right.


#12

I did the test as your suggestion, creating an encrypted lib in account A and sharing with another account B. Login account B in Android client and open the shared encrypted lib. It asks for password as expected.
My system setup is Ubuntu 14.04+Pro 6.2.2, the same as yours.

I just saw there is an option in the Android client’s setting “Encrypted library data decryption mode”. Default is off. Will turn it on making a difference? although it doesn’t matter at my side.


#13

i tried that too, thats obvious option where to go next:) no difference though.

but see my point? the behaviour is the same at win client.

i believe it must be some local problem and i dobt know how to continue now. thank you for your time though.


#14

Yeah, that’s weird.
One more question: did you see a tiny lock in the logo of your encrypted library? Just to make sure the server send the right metadata information.


#15

yes i see tiny locks.


#16

Seriously, nobody can reproduce this bug?


#17

Zdravim je super tady videt nekoho z ceska :wink:

OK so, I tried to reproduce this error without success. Maybe try to describe litte bit more step which you are do it, cause I try your step and it not work, so I tried to type password, go inside the library then over options clear passwords and yes it actualy stay in file list, but if I try to go to some subfolder It want password again.


#18

Ahoj:)

The problem is that when you clear the password you should leave the library.

Anyway have you tried to share this encrypted library? Can you access it from Android/Win client from accout that you shared it with?


#19

Yes I create special user for this testing. Login Android app(2.1.1). Then go to seahub logged by my personal account and shared encryptet library to new one. Then update file list and library appear, after click it want password.

So you are saying that you problem is with that you enter encrypted library(WITH typing password) and then go to options, hit “clear passwords” and after this you are still able see files until you somehow interact like try go to some subfolder or leave library?


#20

Im saying that:

  1. i create encrypted library
  2. i share it to my friend
  3. friend open file from this library in android client
  4. friend doesnt open the file. he cannot. no password prompt.
  5. my friend goes to widows client and tries to open the file in the library
  6. he cannot, since he is not prompted for password.

and as holantomas says - my friend is able to browse the library.

i know, security through obscurity but - wtf - i can see files inside something encrypted while i dont know the password???