don't reveal users mail adress by default

[yasuoiwakura]

Steps to reproduce

1. register as a new user
2. after some months, explore the menu
3. discover that your mail adress was public to ALL the other cloud users on the same server

Expected behaviour

Private data should not be revealed by default

Make public data available, protect private data.
Source:

• hacker ethics
• gdpr

Actual behaviour

Users mail adress is revealed to other users by default

Server configuration

LAMP, Ubuntu 18.04

Nextcloud version: 15.0.5
fresh installl since upgrade from OC failed

Where did you install Nextcloud from: Webclient

List of activated apps:
deactivated ALL Apps - same behavior

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:

```{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.REMOVED.de"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "15.0.5.3",
        "overwrite.cli.url": "https:\/\/cloud.REMOVED.de",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "pipe",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "CUSTOMSETTINGSMATTHIAS": "ab hier!!!",
        "default_language": "de",
        "default_locale": "de",
        "force_language": "de",
        "force_locale": "de",
        "mail_smtpsecure": "ssl",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
    }
}```

### Client configuration
**Browser:**
IE, FF, Chrome
**Operating system:**

[violoncelloCH]

what do you think @nextcloud/server-triage ?

[nickvergessen]

Actually the default is contacts only:
https://github.com/nextcloud/server/blob/master/lib/private/Accounts/AccountManager.php#L308

[violoncelloCH]

yes, but contacts means all other users on the same server plus trusted federation servers, doesn't it? I think that's the point of @yasuoiwakura...

[yasuoiwakura]

Yes, i see no reason to assume my users would want their mail adress revealed to each other.
I mean, I cannot see any of the github user's email (not even those who wrote in the same topic) and i guess there is a good reason it is private by default

[yasuoiwakura]

Any idea how to temporary fix or disable this leak? it is a real privacy problem for my users...

[yasuoiwakura]

Updated to NC16, still same problem.

btw. this information is false, since it claims that only administrators have access to my data:

https://cloud.domain.tld/index.php/settings/user/privacy

[nickvergessen]

Datas in this term are your files. The email address is also checked for sharing, so this is more of a general issue with a bigger impact on how all the things are handled and needs some more planing then a quick change on a setting

[nickvergessen]

Okay I just checked again and I was wrong.
If the email is set to private, you can not find users by their email address.

So I guess it boils down to the fact, that you registered (on a public instance) where "everyone on the cloud knows each other" is not a good sensitive default.
Maybe we should add an option for that, so admins can configure this.

[nickvergessen]

cc @rullzer @MorrisJobke what do you think about this?

[yasuoiwakura]

hm my current workaround is to <!--hide--> the contact list in the upper right corner.

imho, users should indeed be able to share files with other users/groups (should be defined by admin) without seeing their email.

[demlak]

Workaround untill next update of NC to set default mode of email to private FOR NEW USER-REGISTRATION.

Edit in lib/private/Accounts/AccountManager.php

                        self::PROPERTY_EMAIL =>
                                [
                                        'value' => $user->getEMailAddress(),
                                        'scope' => self::VISIBILITY_CONTACTS_ONLY,
                                        'verified' => self::NOT_VERIFIED,
                                ],

to

                        self::PROPERTY_EMAIL =>
                                [
                                        'value' => $user->getEMailAddress(),
                                        'scope' => self::VISIBILITY_PRIVATE,
                                        'verified' => self::NOT_VERIFIED,
                                ],

This worked in my test-environment.

But i also want to set the value for allready registered users.. so i update the value in the database "oc_accounts" via:
UPDATE oc_accounts set data = json_set(data, "$.email.scope", "private")

This was not enough. mails are still shown.. so i dumped database before and after setting an email to private mode to diff them. and the result is, that email is also set in 'oc_cards' and 'oc_cards_properties'
editing those two databases seem to be more difficult =(

any idea?

[demlak]

So.. no solution to set globaly mailadress hidden for allready registered users?

[yasuoiwakura]

So.. no solution to set globaly mailadress hidden for allready registered users?

issue still there and ignored in NC18.

Workaround that "hides" the problem without breaking code integrity:
activate https://github.com/juliushaertl/theming_customcss
Then goto Design => Custom CSS:

#contactsmenu{
visibility: hidden;
}

[demlak]

Okay I just checked again and I was wrong.
If the email is set to private, you can not find users by their email address.

So I guess it boils down to the fact, that you registered (on a public instance) where "everyone on the cloud knows each other" is not a good sensitive default.
Maybe we should add an option for that, so admins can configure this.

Since i'm not a coder.. how difficult is it to make this an option for config.php?

[jamasi]

So.. no solution to set globaly mailadress hidden for allready registered users?

issue still there and ignored in NC18.

Workaround that "hides" the problem without breaking code integrity:
activate https://github.com/juliushaertl/theming_customcss
Then goto Design => Custom CSS:

#contactsmenu{
visibility: hidden;
}

A less intrusive approach that is not breaking the autocomplete is simply hiding the mail icon:

div#contactsmenu.openedMenu div#contactsmenu-menu.menu div.content div#contactsmenu-contacts div div.contact a.top-action {
   visibility: hidden;
}

Still this is no real solution as the email address is still disclosed in the source code of the page.

[jamasi]

After digging deep into the model view controller ajax jquery stack I found this patch to close the data leak:

In nextcloud/lib/private/Contacts/ContactsMenu/ActionFactory.php edit the function that generates the email link to only generate blank links:

        public function newEMailAction($icon, $name, $email) {
                return $this->newLinkAction($icon, '', '');
        }

EDIT: An even better patch is to edit nextcloud/lib/private/Contacts/ContactsMenu/Providers/EMailProvider.php.
Change if (empty($address)) { to if (1) { so no mailto: links are generated anymore:

        public function process(IEntry $entry) {
                $iconUrl = $this->urlGenerator->getAbsoluteURL($this->urlGenerator->imagePath('core', 'actions/mail.svg'));
                foreach ($entry->getEMailAddresses() as $address) {
                        if (1) {
                                // Skip
                                continue;
                        }
                        $action = $this->actionFactory->newEMailAction($iconUrl, $address, $address);
                        $entry->addAction($action);
                }
        }

[tcitworld]

Is this a duplicate from #6582?

[demlak]

not duplicate but related
more duplicate of this #6578

[tcitworld]

#20667 will provide a way to fix this with some config.php configuration.

[Dubidubiduu]

The #CSS hack of @jamasi didn't worked for me, for I added the last part for talk support.

div#contactsmenu.openedMenu div#contactsmenu-menu.menu div.content div#contactsmenu-contacts div div.contact a.top-action, div.popovermenu ul li a.focusable[href^="mailto:"]  {
   visibility: hidden;
}

Still hopes the fix of @tcitworld gets embedded soon.

[jamasi]

The #CSS hack of @jamasi didn't worked for me, for I added the last part for talk support.

Be aware that CSS hacks do not stop nextcloud from exposing the email addresses of the other users. instead this little patch seems to work for me: #14959 (comment)
Still a proper fix like in the mentioned PR will be most welcome. So one does not have to re-apply the patch after each update.

[PVince81]

see #23172, requires adding a new option in core to hide these in the contacts menu

[szaimen]

cc @nextcloud/server-triage is this feasible?

[ghost]

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

[Moini]

I'd like this (or the duplicate bug report) to be reconsidered.
(see #9638 (comment))

[yasuoiwakura]

I'd like this (or the duplicate bug report) to be reconsidered. (see #9638 (comment))

I really don't mean to be toxic+offtopic, but this issue is a clear reason i stopped using nextcloud and use the former product and never considered using it again :-/

[jamasi]

The issue is not fixed but made worse in Nextcloud 21.

[Moini]

@szaimen I see you're able to add and remove tags here. Could you please consider removing the auto-close / stale tag? I think people just missed reacting to it.

[demlak]

Ok.. this took me several hours..

intro:
besides the fact, that the mailadresses-scope should be default private (workaround here: #14959 (comment)) there is a leak also of those mailadresses, that are marked as private! this is a big fat NO GO!

Here is my solution:

1. to hide the addresses from the contacts upper-right-corner, just comment out the EMailProdider:Class, line 88 in https://github.com/nextcloud/server/blob/stable20/lib/private/Contacts/ContactsMenu/ActionProviderStore.php
   as described here: Option to disable showing system email in avatars' contacts menu #23172

	private function getServerProviderClasses() {
		return [
		//	EMailProvider::class,
		];
}

2. to hide EMail-Addresses from the Autocompletion in the share-dialog, assign an empty string to every
   'shareWithDisplayNameUnique' => "", in
   /lib/private/Collaboration/Collaborators/UserPlugin.php and /lib/private/Collaboration/Collaborators/MailPlugin.php

Now, the only shown mail-adresses are those, that are also shown in your contacts-app.

UserPlugin.php is responsible for Autocompletion Search-results, that starts with the Searchpattern
MailPlugin.php is responsible for Autocompletion Search-results, that have the searchpattern anwhere else..

For example:
Search pattern: ja
UserPlugin.php catches:
Janet
Janine
Janice

MailPlugin.php catches:
Kolja
Katja
Benjamin

3. Instead of hide every mailadresse, i would like to show those, of users who set their mailadresse to be not-private..

since i don't know the syntax to get the scope-info of the email-property, i just have a "concept" of this idea.. could anyone help-out for the syntax?

$mailscope = AccountManager::PROPERTY_EMAIL['scope'];
shareWithDisplayNameUnique' => !empty($userEmail) && $mailscope !== PRIVAT ? $userEmail : $uid,

@nickvergessen please reopen this issue, since it is very general and still unfixed.

[demlak]

i am a little bit confused about the no-reaction.. it would be nice to get any feedback of others with the same problem.. and/or feedback of devs about this.

i think i found a good solution that makes the mail-thingy GDPR/DSGVO-complient, where it never was.

[Dacit]

Please re-open, many people have asked this question or opened similar issues in the past.

@nickvergessen

[tschombes]

This is still an issue with the latest nextcloud version and this is a nightmare. Nextcloud is NOT useable in germany with this issue. Please add an option to disable the users email are visible by default.

[jamasi]

Still an issue for 23.0.12 at least.

[sysvwfwsw]

And still an issue on 25.0.10

[Keyinator]

Still an issue on 27.1.2

[easyriders]

Is this fixed?

[Moini]

@easyriders For the top bar, yes. However, when I enter the character '@' into the search field for 'sharing', I get to see everyone's mail address.

[easyriders]

Thanks for the answer. @Moini How did you fix it for the top bar and other places?

[Moini]

I'm not sure. Is it not the default?

[gogowitsch]

I just set up a new Nextcloud instance, v29.0.9. I am shocked that leaking email addresses is still the default, both per installation and per user.

I believe this should be a question in the setup assistant, while creating the admin account. Individual users have no way of disabling this. The "Private" setting is grayed out on the “Personal info” page. It states

Not available as this property is required for core functionality including file sharing and calendar invitations

Also, the account_manager.default_property_scope setting doesn’t prevent leaking email addresses.

Fortunately, there is a kill switch to stop leaking email addresses: under Administration settings » Sharing » Allow username autocompletion in share dialog and allow access to the system address book. It affects more than sharing: It also disables the top bar contact list from being populated. I couldn’t find any leaks for ordinary users. I am happy. 🙂