CVE CyberSecurity Database News

CVE-2023-39963 - How One Session Hijack Could Let Attackers Hijack Your Nextcloud App Passwords

Poster -

Nextcloud has become one of the top choices for hosting your own secure cloud storage. But what happens when a small mistake lets an attacker take over a critical account function—just from getting your user session? That’s what CVE-2023-39963 exposed in a series of Nextcloud releases.

Let’s break down what happened, how it works, and what you can do about it.

27.. up to 27..1

If you use any of these, your users were open to a sneaky attack: If someone stole your authenticated session—for example, by sniffing your cookies or running a malicious plugin—they could create new app passwords for you. No extra password prompt, no additional confirmation, nothing.

What Are App Passwords?

Nextcloud app passwords let you create credentials for mobile and desktop apps or automation tools, so you don’t have to use your main account password. Usually, the server asks you to re-enter your password when creating these (as a protective step). But, due to a missing check, anyone with your session can create new app passwords on your behalf—which may persist even after you change your main password.

The Problem

The Nextcloud server allowed logged-in users to generate new app passwords _without_ re-entering their main account password. This is an issue because if an attacker manages to hijack your session—by stealing your browser session cookie, for instance—they could silently create app passwords and later keep accessing your data.

So, how would this look?

1. Attacker gets your session (through session theft, XSS, or physical access to your unlocked machine).

Attacker makes a POST request to create a new app password using your session.

3. That password is valid—often indefinitely—so they can access your files or other private data at will.

Code Example: Crafting a Malicious Request

Here’s a simple Python example showing how an attacker could script the creation of an app password if they had your session cookie:

import requests

# The target Nextcloud server
base_url = "https://nextcloud.example.com";
# The victim's session cookie (stolen by attacker)
victim_session_cookie = "oc_sessionPassphrase=theft-value; oc_username=theft-user"

# Create an app password
endpoint = f"{base_url}/ocs/v2.php/core/apppassword"
headers = {
    "OCS-APIREQUEST": "true",
    "Cookie": victim_session_cookie
}
data = {"name": "MaliciousApp"}

response = requests.post(endpoint, headers=headers, data=data)
if response.status_code == 200:
    print("Successfully created app password for victim!")
    print(response.text)
else:
    print("Failed. May not be vulnerable or patched.")

Note: This code assumes the attacker already _knows_ the victim's session. Modern browsers restrict access to HTTP-Only cookies from JavaScript, but XSS, social engineering, or physical access could expose them.

Why Is This Bad?

- Persistence: App passwords usually remain valid even if you change your main password! This means a sneaky attacker could keep accessing your files, contacts, etc., after a password reset.
- Bypassing 2FA: App passwords aren’t protected by two-factor authentication. So even if you have 2FA enabled, this “back door” could give attackers ongoing access.

How Was It Fixed?

Nextcloud developers fixed the issue by requiring users to re-enter their account password when creating app passwords, blocking attackers who only have stolen sessions.

You should upgrade to

- Nextcloud Server: 20..14.15, 21..9.13, 22.2.10.14, 23..12.9, 24..12.5, 25..9, 26..4, 27..1

Nextcloud Enterprise: Matching versions.

There are no workarounds—you need to update.

If you’re an admin

- _Upgrade!_ Don’t rely on any firewall or config workaround. Only a Nextcloud upgrade can close this hole.

CVE Record:

https://nvd.nist.gov/vuln/detail/CVE-2023-39963

Nextcloud Advisory:

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fwr4-55m9-h3fj

Nextcloud Changelog:

Nextcloud release notes

Conclusion

CVE-2023-39963 is a perfect example of how missing one small security check can open major problems—especially in software that millions rely on for privacy and file security. If you run Nextcloud or have users on a self-hosted cloud, make sure to update right away and check your app password lists.

Stay patched! And spread the word to help secure open-source software for everyone.

Timeline

Published on: 08/10/2023 18:15:00 UTC
Last modified on: 08/16/2023 13:39:00 UTC