So, let me start with saying I’m not sure if this is a security issue or if it is by design. The reason I’m reporting it here is since Nextcloud promotes this Virtual Data Room a lot.
https://nextcloud.com/blog/nextcloud-announces-virtual-data-room-solution-for-ultimate-protection-of-data-during-sensitive-dealmaking/
https://nextcloud.com/virtual-data-room/
And let me just quote: “configure Secure View ensure the users can still read and (when shared with editing rights) modify documents, while the documents are watermarked when on screen.”
“With secure view, our online office solutions can be configured to open PDF files, images and text files, making these files available in a watermark-protected way, while downloads and other apps are disabled using File Access Control. This setup is useful when data has to be protected from leaking but still has to be made available for review, as in a virtual data room scenario.”
Both of these claims are false.
Minimal proof of concept.
vdr.odt
by public link and mark as hide downloadNow the point here is that anybody you send the link will only see the watermarked file. Not being able to download or copy data. And of course making a picture of these things is useless as it shows the watermark.
wss://collabora.server/https%3A%2F%2Fserver%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1234_abcd%3Faccess_token%3efgh%26access_token_ttl%3D0/ws?WOPISrc=https%3A%2F%2Fserver%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1234_abcd&compat=/ws
As far as I understand the WOPI spec this is us sending the collabora server the WOPI endpoint they have to call. Which in this case is
https://server/index.php/apps/richdocument/wopi/files/1234_abcd
The 1234_abcd
seems to be the fileid
and the instance id
And the access token is also there in the url. In this case efgh
.
Now if an attacker just does the following curl command
curl https://server/index.php/apps/richdocument/wopi/files/1234_abcd?access_token=efgh -o stolen.odt
You will see that they have the unwatermarked version of the data. This is even easier than copying everything over or making photographs.
Your Virtual Data Room is inherently broken. And the claims you make on your website are at best misleading.
However as said I’m not sure if this may be intentional as the feature is called hide download in the UI.
In any case. Maybe a good idea would be to have a secret configured on both collabora and the Nextcloud host. Which gets send. So that in case of hide download a client that doesn’t know the secret token can’t download the file.
I do not have access to a setup with Only Office. But I believe that to be vulnerable to a similar attack.