Cryptomator: Make log level configurable and only log cleartext names in debug mode

Created on 11 Oct 2016  路  5Comments  路  Source: cryptomator/cryptomator

Basic Info

Windows 10 Anniversary, up to date, cryptomator 1.2.0-x64

Description

encrypted file names are stored in clear text in %appdata%\Cryptomator\cryptomator.log as they're added or opened, and can be discovered and read without the pass phrase to the vault with a simple notepad program.

users expect that these file names remain unavailable to other users of the machine. you should warn about the logs, or better, do not create them unless a debugging session is specifically requested by the user.

Log File (optional)

[insert relevant parts of the log file here if applicable,
don't forget to redact sensitive information
......
it's all sensitive and shouldn't be maintained unless the user is in debug mode.

on Windows: %appdata%/Cryptomator/cryptomator.log
on OS X: ~/Library/Logs/Cryptomator/cryptomator.log
on Debian: ~/.Cryptomator/cryptomator.log]
confirmed bug
Source
picture Buena-Vista
👍1

All 5 comments

Good catch, this seems to be a pretty huge issue. Hopefully it'll get fixed soon.

Only thing I'm wondering - does this only affect Windows 10? Since it's a log file, I'd assume it affects all operating systems.

FlorianWendelborn picture FlorianWendelborn on 11 Oct 2016

users expect that these file names remain unavailable

Fair point.

@dodekeract this affects all operating systems. If you want an ad-hoc fix, you can configure the log file to be stored to /dev/null or similar.

Usually I'd say that Cryptomator's sole purpose is to protect data which leaves the device, but as this is a fairly easy thing to fix and you're totally right about the user's expectation this should indeed get fixed with one of the next minor releases.

overheadhunter picture overheadhunter on 12 Oct 2016
👍1

thanks! I look forward to the fix. this will position you better for the fully portable version, too. logs on the non-portable disk of the machine aren't the best way to have a portable app setup.

temporarily, for anyone who wants a semi-auto cleanup who uses ccleaner, I've added the following lines to the ccleaner winapp2.ini to delete it when I run it:
[Cryptomator*]
LangSecRef=3024
Default=False
FileKey1=%appdata%\Cryptomator|cryptomator.log

yes, that last is a vertical bar, not a slash. you should open ccleaner and click in the check box after this change (or change the default to True).
Thanks, again.

Buena-Vista picture Buena-Vista on 13 Oct 2016

Fixed in fe86b4c

overheadhunter picture overheadhunter on 29 Nov 2016
🎉1

Thanks. Works perfectly.

Buena-Vista picture Buena-Vista on 27 Dec 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

TheFuzzStone picture TheFuzzStone  路  3Comments
jaorueta picture jaorueta  路  4Comments
Turako picture Turako  路  3Comments
errotu picture errotu  路  3Comments
gwarah picture gwarah  路  5Comments