Story: my XMPP server was malfunctioning and I couldn't debug it properly (or just couldn't be bothered), so I simply reinstalled it. But I forgot to backup account files of some people that were using it, so I tried photorec to recover. I was then quite surprised how my (virtual) drive filled up in seconds. I instantly knew what was up right then... Curiosity got her way and I downloaded everything that had been lifted and started checking it out, and was shocked. Shocked to find images with doxing info (names), for example. Someone more evil than me might have abused it right then... I couldn't even be bothered to look through it all but I'm sure I'd be able to find more spicy stuff there if I cared to.
Over 6 thousand PNGs lifted in a few seconds by photorec
If you still didn't figure out what this is about, photorec somehow bypasses Incognet's virtualization. I'm pretty sure I had access to every deleted file that everyone using Incognet ever uploaded, judging by the amount of trash that appeared pretty much instantly - trash I surely did not put there. Executables, sqlite databases, and who knows what that a determined attacker might explore for clues. What does it mean? Don't upload anything to Incognet that you don't want others to see (or encrypt it by GPG, zip password, etc...). The link being secret won't save you because photorec goes after the underlying data. Your nudes, your medical information, your anything might be available to anyone that dares to try file recovery at some point. I found this vuln by total accident so it's surely abusable by even amateurs. But no one had written about it yet, as far as I can see.
Why am I doing so, though? I reported the issue first by mail, and got ignored. So I was forced to use their slow, annoying and unreliable portal instead, and got quite angry. I was hoping that I'd be able to use E-mail for subsequent communication, at least, but Incognet seems to be ignoring all mail. They really want you to jump through their insane hoops to report even such a critical issue. And they still haven't done anything about it (I just confirmed it now; and it's been 3 weeks!). So your nudes and other things might be available for others to see. And again, this isn't too hard to find out, so I'd rather tell my readers to beware of the stuff you upload there than hide the vuln and hope people won't figure it out regardless. And I also want to expose Incognet's lack of professionalism. Who knows if a similar thing can't be done on some other hosts, as well (notify me if you find out).