Story: my XMPP server was malfunctioning and I couldn't debug it properly (or just couldn't be bothered), so I simply reinstalled it. But I forgot to backup account files of some people that were using it, so I tried photorec to recover. I was then quite surprised how my (virtual) drive filled up in seconds. I instantly knew what was up right then... Curiosity got her way and I downloaded everything that had been lifted and started checking it out, and was shocked. Shocked to find images with doxing info (names), for example. Someone more evil than me might have abused it right then... I couldn't even be bothered to look through it all but I'm sure I'd be able to find more spicy stuff there if I cared to.
Over 6 thousand PNGs lifted in a few seconds by photorec
If you still didn't figure out what this is about, photorec somehow bypasses Incognet's virtualization. I have access to many files that I surely did not put there. Executables, sqlite databases (found many on my first try, now only one seems to be recoverable), and who knows what else that a determined attacker might explore for clues. Let me show you an example image I've found:
I don't even know what IPtraf is, nor have I ever set up anything that takes screenshots, yet I ended up lifting about 20 similar images (among other ones). What does it mean? Don't upload anything to Incognet that you don't want others to see (or encrypt it by GPG, zip password, etc...). The link being secret won't save you because photorec goes after the underlying data. Your nudes, your medical information, your anything might be available to anyone that dares to try file recovery at some point. And certain things, like the databases, might be impossible to encrypt so this vuln seems not even completely mitigatable in principle (on the user's side anyway). I found this out by total accident so it's surely abusable by even amateurs. But no one has written about it yet, as far as I can see.
Why am I doing so, though? I reported the issue first by mail, and got ignored. So I was forced to use their slow, annoying and unreliable portal instead, and got quite angry. I was hoping that I'd be able to use E-mail for subsequent communication, at least, but Incognet seems to be ignoring all mail. They really want you to jump through their insane hoops to report even such a critical issue. And they still haven't done anything about it (I just confirmed it now; and it's been 3 weeks!). So your nudes and other things might be available for others to see right now. And again, this doesn't require super special hacking skills to use, so I'd rather tell my readers to beware of the stuff you upload there than hide the vuln and hope that (malicious) people won't figure it out on their own regardless. I also want to expose Incognet's lack of professionalism. It is quite possible a similar thing can be done on some other hosts, as well.
UPDATE 2: fresh Slackware 15 install on BuyVM found these (among many others [465 JPGs and 86149 PNGs]):
Still think it's a nothingburger? In my home installation of Slackware, photorec found only a little over 3k PNGs - and that's including all the random internet images, XMPP avatars, stuff I got from physical media, etc. that I've been accumulating for years. Knowing this, does it really seem so easy for 80k recoverable images to have somehow ended up in a fresh OS? Since I obviously didn't run browsers or put physical media inside that server (one without XMPP, BTW). By the way, Incognet confirmed the vuln to me in one of their E-mails:
It's strange though, because in my original test I did download a large random icon image pack, that had a bunch of random .png web icons for web-design. I extracted it, but after reinstalling the OS and running photorec, these items were not discovered. Only the random OS documentation junk as described above.
Icons for web design - does it look like something that an OS has by default? After this E-mail, though, they tried to gaslight me into believing that that's actually the case (no, Slackware doesn't have thousands of PNGs, nor a bunch of sqlite databases...), or that "their virtualizor spits junk" (if so, it's a weirdly specific kind of junk, and there is quite a lot of it!). Edit: deleting the kyun stuff, since I did not have personal confirmation and the results might not be valid.
I actually have no idea where exactly this random stuff is coming from, but the categorical denials that it could be a vuln and insane accusations of how I supposedly uploaded them myself are quite...revealing. In the end, my advice is still to avoid uploading whatever you don't want others to see on probably any VPS until this situation is fully resolved. It is still a possibility that those files are coming from other users on the VPS, or maybe from the admin's server, or...who knows, maybe it's aliens, but I surely did not put them there myself! What I suspect (and am worried the most about) is that someone might be able to buy a VPS in the same location you are, and just lift your files, even ones deleted years ago.