Versions

Nextcloud Server Version: 16.0.3.0
it.tsweb.Nextcloud (iOS App) Version: 2.23.7

Description

While logging in to an owncloud instance the iOS client sends the Username and password to the ressource
/login?redirect_url=/login/flow/grant
and recieves an token by the ressource /login/flow in the process. This happens in the form of an HTTP 303 redierect Location [Picture 1].
/login/flow/grant?clientIdentifier=&stateToken=ji76VUQooqEHFwIPyUUHkAqGaazB8XJ5DHQiJK6vk5aBLfhS1XMf2flTMPVxgFm3

This Token is from now on used to authenticate every request made by the App to the owncloud instance [Picture 4].
This happens in the form of an Basic-Authentication header, where username and password are encodet in an Base-64 String [Picture 3].

Additionally the iOS client automaticaly registers some user specific parameters at push-notifications.nextcloud.com without notifying the user. While this process the client also sends the Basic-Authentication header of the owncloud instance to the third Party server [Picture 2].

Impact

This leads to an massive user information disclousure which affects all iOS users of the nextcloud App (i have not tested Android) to the third party push-notifications.nextcloud.com.
The owner of the domain and the operator of the server recieve a high ammount of valid Usernames an access tokens of every owncloud instance with iOS users.