Daily Archives: December 1, 2023

Months of Google Drive files disappearing randomly

Posted on by

Google Drive users are reporting files mysteriously disappearing from the service, with some netizens on the goliath’s support forums claiming six or more months of work have unceremoniously vanished.

The issue has been rumbling for a few days, with one user logging into Google Drive and finding things as they were in May 2023.

According to the poster, almost everything saved since then has gone, and attempts at recovery failed.

Others chimed in with similar experiences, and one claimed that six months of business data had gone AWOL.

There is little information regarding what has happened; some users reported that synchronization had simply stopped working, so the cloud storage was out of date. Others could get some of their information back by fiddling with cached files, although the limited advice on offer for the affected was to leave things well alone until engineers come up with a solution.

A message purporting to be from Google support also advised not to make changes to the root/data folder while engineers investigate the issue.

[…]

a reminder that just because files are being stored in the cloud, there is no guarantee that they are safe. European cloud hosting provider OVH suffered a disastrous fire in 2021 that left some customers scrambling for backups and disaster recovery plans.

[…]

ust because the files have been uploaded one day does not necessarily mean they will still be there – or recoverable – the next.

[…]

MatthewSt reports that he has a fix; obviously this is something worked out by a user rather than official advice, so caution is advised.

Source: The mystery of the disappearing Google Drive files • The Register

3 Vulns expose ownCloud admin passwords, sensitive data

Posted on by

ownCloud has disclosed three critical vulnerabilities, the most serious of which leads to sensitive data exposure and carries a maximum severity score.

The open source file-sharing software company said containerized deployments of ownCloud could expose admin passwords, mail server credentials, and license keys.

Tracked as CVE-2023-49103, the vulnerability carries a maximum severity rating of 10 on the CVSS v3 scale and affects the garaphapi app version 0.2.0 to 0.3.0.

The app relies on a third-party library that provides a URL that when followed reveals the PHP environment’s configuration details, which then allows an attacker to access sensitive data.

Not only could an intruder access admin passwords when deployed using containers, but the same PHP environment also exposes other potentially valuable configuration details, ownCloud said in its advisory, so even if the software isn’t running in a container, the recommended fixes should still be applied.

To fix the vulnerability, customers should delete the file at the following directory: owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php.

Customers are also advised to change their secrets in case they’ve been accessed. These include ownCloud admin passwords, mail server credentials, database credentials, and Object-Store/S3 access-keys.

In a library update, ownCloud said it disabled the phpinfo function in its Docker containers and “will apply various hardenings in future core releases to mitigate similar vulnerabilities.”

The second vulnerability carries another high severity score, a near-maximum rating of 9.8 for an authentication bypass flaw that allows attackers to access, modify, or delete any file without authentication.

Tracked as CVE-2023-49105, the conditions required for a successful exploit are that a target’s username is known to the attacker and that they have no signing-key configured, which is the default setting in ownCloud.

Exploits work here because pre-signed URLs are accepted when no signing-key is configured for the owner of the files.

The affected core versions are 10.6.0 to 10.13.0 and to mitigate the issue, users are advised to deny the use of pre-signed URLs in scenarios where no signing-key is configured.

The final vulnerability was assigned a severity score of 9 by ownCloud, a “critical” categorization, but the National Vulnerability Database has reduced this to 8.7 – a less-severe “high” classification.

It’s a subdomain validation bypass issue that affects all versions of the oauth2 library including and before 0.6.1 when “Allow Subdomains” is enabled.

“Within the oauth2 app, an attacker is able to pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker,” read ownCloud’s advisory.

Source: Vulns expose ownCloud admin passwords, sensitive data • The Register

Roundcube Open-Source Webmail Software Merges With Nextcloud

Posted on by

The open-source Roundcube webmail software project has “merged” with Nextcloud, the prominent open-source personal cloud software.

In boosting Nextcloud’s webmail software capabilities, Roundcube is joining Nextcloud as what’s been described as a merger. In 2024 Nextcloud is to invest into Roundcube to accelerate the development of this widely-used webmail open-source software. Today’s press release says Roundcube will not replace Nextcloud Mail with at least no plans for merging the two in the short-term.

Today’s press release says that there are no immediate changes for Roundcube and Nextcloud users besides looking forward to improved integration and accelerated development beginning in the short term.

RoundCube

More details on today’s announcement via the Nextcloud blog.

Perhaps with this increased investment into Roundcube, some of the original plans laid out years ago with the crowdfunded Roundcube-Next will finally be realized. RoundCube-Next raised more than $100k in funding a number of years ago only to fail in delivering their revamped software.

Source: Roundcube Open-Source Webmail Software Merges With Nextcloud – Phoronix

Considering Roundcube is used by hundreds of millions of users and is basically programmed by just one guy, the $100k was absolute peanuts in terms of how much was raised, especially considering the ambition. Open Source hardliners take note: this shows exactly how unfair the system is – the guy who wrote this should have been a millionaire many times over. Instead, the companies profiting off his work for free have become worth millions, and so have their CEOs.

Windows users report appearance of unwanted HP app – shows you how secure automatic updating is (with no real information about what is in the updates)

Posted on by

Windows users are reporting that Hewlett Packard’s HP Smart application is appearing on their systems, despite them not having any of the manufacturer’s hardware attached.

While Microsoft has remained tight-lipped on what is happening, folks on various social media platforms noted the app’s appearance, which seems to afflict both Windows 10 and Windows 11.

The Windows Update mechanism is used to deploy third-party applications and drivers as well as Microsoft’s updates, and we’d bet someone somewhere has accidentally checked the wrong box.

[…]

WindowsLatest reported the issue occurring on both physical Windows 10 hardware and a Windows 11 virtual machine.

HP Smart is innocuous enough. It’s an application used in conjunction with HP’s printer hardware and can simply be uninstalled.

However, the question is how the application got installed in the first place on a machine with no HP hardware attached or on a network, according to affected users.

[…]

Source: Windows users report appearance of unwanted HP app • The Register

Web browser suspended because it can browse the web is back on Google Play after being taken down by incomplete DMCA

Posted on by

Google Play has reversed its latest ban on a web browser that keeps getting targeted by vague Digital Millennium Copyright Act (DMCA) notices. Downloader, an Android TV app that combines a browser with a file manager, was restored to Google Play last night.

Downloader, made by app developer Elias Saba, was suspended on Sunday after a DMCA notice submitted by copyright-enforcement firm MarkScan on behalf of Warner Bros. Discovery. It was the second time in six months that Downloader was suspended based on a complaint that the app’s web browser is capable of loading websites.

The first suspension in May lasted three weeks, but Google reversed the latest one much more quickly. As we wrote on Monday, the MarkScan DMCA notice didn’t even list any copyrighted works that Downloader supposedly infringed upon.

Instead of identifying specific copyrighted works, the MarkScan notice said only that Downloader infringed on “Properties of Warner Bros. Discovery Inc.” In the field where a DMCA complainant is supposed to provide an example of where someone can view an authorized example of the work, MarkScan simply entered the main Warner Bros. URL: https://www.warnerbros.com/.

DMCA notice was incomplete

Google has defended its DMCA-takedown process by saying that, under the law, it is obligated to remove any content when a takedown request contains the elements required by the copyright law. But in this case, Google Play removed Downloader even though the DMCA takedown request didn’t identify a copyrighted work—one of the elements required by the DMCA.

[…]

Downloader’s first suspension in May came after several Israeli TV companies complained that the app could be used to load a pirate website. In that case, an appeal that Saba filed with Google Play was quickly rejected. He also submitted a DMCA counter-notice, which gave the complainant 10 business days to file a legal action.

[…]

Saba still needed to republish the app to make it visible to users again. “I re-submitted the app last night in the Google Play Console, as instructed in the email, and it was approved and live a few hours later,” Saba told Ars today.

In a new blog post, Saba wrote that he expected the second suspension to last a few weeks, just like the first did. He speculated that it was reversed more quickly this time because the latest DMCA notice “provided no details as to how my app was infringing on copyrighted content, which, I believe, allowed Google to invalidate the takedown request.”

“Of course, I wish Google bothered to toss out the meritless DMCA takedown request when it was first submitted, as opposed to after taking ‘another look,’ but I understand that Google is probably flooded with invalid takedown requests because the DMCA is flawed,” Saba wrote. “I’m just glad Google stepped in when it did and I didn’t have to go through the entire DMCA counter notice process. The real blame for all of this goes to Warner Bros. Discovery and other corporations for funding companies like MarkScan which has issued DMCA takedowns in the tens of millions.”

Source: Web browser suspended because it can browse the web is back on Google Play | Ars Technica

DMCA is an absolute horror of a system that is an incredibly and unfixably broken “solution” to corporate greed