Story: my XMPP server was malfunctioning and I couldn't debug it properly (or just couldn't be bothered), so I simply reinstalled it. But I forgot to backup account files of some people that were using it, so I tried photorec to recover. I was then quite surprised how my (virtual) drive filled up in seconds. I instantly knew what was up right then... Curiosity got her way and I downloaded everything that had been lifted and started checking it out, and was shocked. Shocked to find images with doxing info (names), for example. Someone more evil than me might have abused it right then... I couldn't even be bothered to look through it all but I'm sure I'd be able to find more spicy stuff there if I cared to.
Over 6 thousand PNGs lifted in a few seconds by photorec
If you still didn't figure out what this is about, photorec somehow bypasses Incognet's virtualization. I'm pretty sure I had access to every deleted file that everyone using Incognet ever uploaded, judging by the amount of trash that appeared pretty much instantly - trash I surely did not put there. Executables, sqlite databases, and who knows what that a determined attacker might explore for clues. And the files don't even need to be deleted; it seems it's all added to some all-encompassing backup that's never overwritten (I can find my own years old stuff that I've never put up a link to anywhere). What does it mean? Don't upload anything to Incognet that you don't want others to see (or encrypt it by GPG, zip password, etc...). The link being secret won't save you because photorec goes after the underlying data. Your nudes, your medical information, your anything might be available to anyone that dares to try file recovery at some point. I found this vuln by total accident so it's surely abusable by even amateurs. But no one has written about it yet, as far as I can see.
Why am I doing so, though? I reported the issue first by mail, and got ignored. So I was forced to use their slow, annoying and unreliable portal instead, and got quite angry. I was hoping that I'd be able to use E-mail for subsequent communication, at least, but Incognet seems to be ignoring all mail. They really want you to jump through their insane hoops to report even such a critical issue. And they still haven't done anything about it (I just confirmed it now; and it's been 3 weeks!). So your nudes and other things might be available for others to see. And again, this doesn't require super special hacking skills to use, so I'd rather tell my readers to beware of the stuff you upload there than hide the vuln and hope that (malicious) people won't figure it out on their own regardless. I also want to expose Incognet's lack of professionalism. It is also quite possible a similar thing can be done on some other hosts, as well (notify me if you find out). UPDATE: vuln confirmed for kyun.host.
UPDATE 2: fresh Slackware 15 install on BuyVM found these (among many others [465 JPGs and 86149 PNGs]):
Still think it's a nothingburger? By the way, Incognet confirmed the vuln to me in one of their E-mails:
It's strange though, because in my original test I did download a large random icon image pack, that had a bunch of random .png web icons for web-design. I extracted it, but after reinstalling the OS and running photorec, these items were not discovered. Only the random OS documentation junk as described above.
After that though, they tried to gaslight me into believing that it's really my OS that had those things in the first place (no, it doesn't have thousands of PNGs by default, nor sqlite databases, executable files...), or that "their virtualizor spits junk" (if so, it's a weirdly specific kind of junk, and there is quite a lot of it!). Kyun joined in on the "fun" (archive), too. I don't have personal confirmation that this works for kyun, BTW; but I have no reason to distrust the reporting of the person who found it out (he found 60k files, BTW). In fact, I have no idea where these random images are coming from, but the categorical denials that it could be a vuln and insane accusations of how I supposedly uploaded them myself are quite...revealing. In the end, my advice is still to avoid uploading whatever you don't want others to see on probably any VPS until this situation is fully resolved. It is still a possibility that it's coming from other users on the VPS, or maybe from the admin's server, or...who knows where, but surely not from me!