Nimbox Unauthenticated Direct Object Reference in Download Function

Advisory Information

Title: Nimbox Unauthenticated Direct Object Reference in Download Function

Date Published: 05/08/2016

Advisory Summary

Nimbox is a secure file sharing, collaboration, backup and cloud storage service for managing, sharing and syncing files across your environment. Their ‘vault.nimbox’ service, used for secure file sharing was found to have an unauthenticated direct object reference vulnerability. Resulting in the ability to download all customer data stored within



Affected Software

Product Version Platform
Nimbox 2.5.0 –

Description of Issue

Nimbox’s ‘vault’ application contains a ‘download as a zip’ function, which allows clients to download the entire contents of their share instead of each file individually. This function makes use of three separate parameters when making its call to the API end point.<client_id>/<folder_id>/zip/<validation _token>

By iterating through each value of client_id and folder_id, it was possible to enumerate valid content and download the corresponding folder.

These requests can be made without first authenticating to the service and all that is required to invoke the download is a validation token, which can be obtained through multiple means (the simplest of which was to create a trial account).


Further discussion and a proof of concept on this issue will be covered within a future 7 Elements blog post.


Reported – 26th July 2016

Accepted – 26st July 2016

Patched – 27th July 2016

Advisory Published – 5th August 2016