Our job is to help you stay in control over your data. Nextcloud is designed to be the easiest, most secure private cloud available. To keep it safe, it is important to keep your server up to date and we introduce the Nextcloud Private Cloud Security Scanner to help you with that. The results of our analysis have been covered in an article you might have seen in Der Spiegel.
We help you keep your data yours
Last year, Dropbox lost data from 68 Million accounts, and Yahoo famously had data from no less than 1 billion accounts compromised. People who run a private cloud server like Pydio, ownCloud or Nextcloud presumably do so to keep their data from prying eyes. Sadly, privacy means little without security and it is not trivial to keep a server secure.
Frequently, security researchers find new ways to break cryptographic systems or mistakes are found in the software you run. Where many software companies tend to try to hide security issues in their software, only to be exposed when massive dumps of user data are found on the dark web (Yahoo kept its breach secret for 3 years!), Nextcloud strives to be transparent while developing new, innovative security capabilities. The reality is that any complex piece of software has security issues and finding and fixing them is a more effective way of dealing than the Ostrich Method. We pay security researchers up to USD 5000 rather than sueing them or letting their reports fall on deaf ears, a tactic that has been proven to work well. A result is frequent updates with security related fixes.
To help you keep your system up to date, Nextcloud made updating Nextcloud servers super easy. Our new updater notifies system administrators of new versions and once started by them, automatically checks if all dependencies are there, makes a backup and then replaces the files on your server with the new version. We know updating still requires a bit of work and attention, so we keep working on lowering the barrier to an up to date and secure system.
Introducing the Private Cloud Security Scanner
From what people tell us at events and online, we know many servers still are not kept updated. That often comes with big security risks. Some problems in older versions enable an attacker to take over a server completely; others allow unauthorized downloading of some or all of the data on the server! It is the nature of security in software development that running old, un-updated versions is a risk. Also a legal risk, as Europe has strict General Data Protection Regulation.
To help you assess the security of your private cloud server, Nextcloud has developed the Private Cloud Security Scanner. By entering the URL of your server, you can learn if there is a newer version of your private cloud software and what vulnerabilities exist in the one you are currently running. A few simple checks are also done to assess other security settings on your server.
Please note that the scanner merely does a very simple, basic check, inquiring from the server what version it runs and analyze the response. No ‘hacking’ attempt is made, and there are many other things which can be broken that this minimal scan does not see.
Looking on the web
While developing the security scanner we had a look at the state of security of private cloud servers online. Many administrators might not be aware how easy it is to get a list of servers on the web! Services like shodan.io provide the ability to search for specifics and it is simple to get a list of tens of thousands of instances and look at them.
We quickly realized a VERY large percentage was insecure. Many hundreds of servers had such severe vulnerabilities they could be taken over entirely. Data from thousands can be downloaded trivially and tens of thousands more are vulnerable with only a little bit of work on part of the attacker, like obtaining a sharing link. About two-thirds of the servers we looked at were vulnerable. With an estimated 200K servers out there it extrapolates to a scary large number. We did not feel any better looking at the specific URLs, seeing political parties, hospitals, universities, large corporations and governments in the list of insecure servers.
At this point, we decided we should warn the administrators of these instances. Of course, a blog or tweet would not make much difference as some had not upgraded for years. And publicity could encourage people with more nefarious goals to look at these servers and try to break in. The events around a Drupal vulnerability have shown that, within hours of public disclosure, it might already be too late to patch servers. We discussed trying to reach out directly but thought it wasn’t really our place to contact people directly, many of whom were not even running Nextcloud.
Instead, we looked at what the usual process to follow is when you discover a big security issue like this. That is to alert the security organizations in various countries like the volunteers from the Shadowserver Foundation, the SWITCH Foundation in Switzerland, the BSI in Germany and so on and discuss what to do. They decided to reach out to users with a personal warning, including the results of the scan. This reach-out goes through different channels, depending on country and organization which handles this. Some reach out directly, others go via service providers or other channels. We made sure the security scan would not expose any private data, using unique IDs instead of URLs to present them the results and we kept as quiet as possible on our communication channels about this matter.
Results
The effort has been quite successful. Of the tens of thousands server owners who were informed, over 5% had upgraded already in the first ten days. We noticed that especially the administrators of the more active and heavily used servers responded by upgrading, securing a large number of user accounts.
The outreach through the security organizations in each country went less than perfect, too. Some don’t handle this anywhere near as nice as we’d like to have seen; there was one instance which just emailed the entire list of vulnerable URL’s to its entire customer base. Others did not alert their customers at all. But most did a reasonable job in both making clear the urgency of the issue and protecting the privacy of their users.
But we could only see and contact a subset of the total number of servers out there. Despite our significant efforts, we estimate that there are at least another 50.000 insecure private cloud servers out there we have not been able to warn. This is where, among other things, this blog post comes in: we hope to enlist the community in our efforts to reach out and get as many private cloud servers upgraded as soon as possible to the latest release of whatever software they run, explaining to system administrators how important this is. If needed, you can use information from this blog by Lukas to explain the dangers. And, of course – the article on Der Spiegel.
Future
Nextcloud has been working hard on making it easier to keep your system up to date. We rewrote the update tool for Nextcloud 10, making it easy to use it from the command line in Nextcloud 11 and Nextcloud 12 will no longer disable apps when doing a security update, making the updates less intrusive. More improvements are being worked on. Our ultimate goal is to make updates so seamless they can be done fully automatic without any administrator involvement or downtime. At this moment, we have achieved this on the Nextcloud Box, using Canonical’s Snap technology which automates updates entirely. You can read more about that in this whitepaper.
We also plan to improve the security scan. From today you can use it to scan your own server and see what the security state is, and we have already invited other open source private cloud projects to work with us and make it possible to scan their software as well. ownCloud has responded by creating their own scan.
If you want to know what this entire private cloud thing is all about, read this article on CIO.com
Thanks
We would like to thank everybody who has been helping us reach out to server owners, including Der Spiegel and other press, both for keeping this quiet to give server owners time to upgrade and for helping explain the risks now.
“When we have welcoming communities of contributors, open source software gets better and more useful to everyone.” Limor Fried, Electrical Engineer, Inventor and Founder of open-source hardware company Adafruit We believe in this ideal and love to work with our community. We are always looking to involve more people in Nextcloud, bringing in their ideas, […]
“Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat […]
Over the last years Nextcloud Talk has developed in a fantastic productivity tool, enabling teams across the globe to communicate and collaborate in chat rooms, video meetings and webinars.
Hot on the heels of Nextcloud Hub 4, our desktop client now enables users who are running the latest Nextcloud to take advantage of its improved End-to-end encryption features!
After a complaint filed by Nextcloud on behalf of a coalition of dozens of European cloud tech providers in November 2021, the German Bundeskartellamt (federal antitrust authorities) has now begun an official investigation into Microsoft to assess if the company has a dominant position in the market.
Nextcloud users know the importance of integrating different systems and tools to create a seamless workflow. Nextcloud Enterprise allows you to integrate with Microsoft environments for file storage, user directory, Outlook, Sharepoint, Windows Desktop, MS Office online server, and Teams. And now, we are excited to announce a new addition to our lineup: the Nextcloud […]
In Nextcloud Hub 8, we introduced interactive widgets, a completely new mechanic that lets you share, access and interact with items from various apps in a compact widget format throughout your platform.
Nextcloud, a leading provider of open-source collaboration software has partnered with epiKshare to deliver Nextcloud One — a fully managed, secure and compliant cloud solution hosted in Germany.
We save some cookies to count visitors and make the site easier to use. This doesn't leave our server and isn't to track you personally!
See our Privacy Policy for more information. Customize
Statistics cookies collect information anonymously and help us understand how our visitors use our website. We use cloud-hosted Matomo
Matomo
_pk_ses*: Counts the first visit of the user
_pk_id*: Helps not to double count the visits.
mtm_cookie_consent: Remembers that consent for storing and using cookies was given by the user.
_pk_ses*: 30 minutes
_pk_id*: 28 days
mtm_cookie_consent: 30 days