< go back to overview

Credentials potentially leaked to other configured ownCloud instance

Platform: Mobile Clients

Versions: iOS 3.4.4,

Date: 8/3/2015

Risk level: Low

CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

CWE: Information Exposure Through Sent Data (CWE-201)


A bug in the ownCloud iOS application below version 3.4.4 may leak credentials as well as cookies used for authentication purposes to other configured ownCloud instances.

Specifically, the ownCloud iOS application allows users to connect to multiple ownCloud instances offering an easy way to switch between different accounts on different instances. An user may for example configure their hosted ownCloud by a third-party provider as well as their company ownCloud instance.

In some cases when switching the accounts in the iOS applications the application is not properly handling the state switch and will continue to send the previous authentication headers to the other instance. Thus a malicious administrator on another configured ownCloud instance may gain access to the user’ credentials on the other instance.

Affected Software

  • ownCloud Mobile < iOS 3.4.4 (CVE-2015-5955)

Action Taken

The iOS application is now properly handling credentials as well as cookies and will send these only to the correct domains.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.com) – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.