Cryptomator Logic Flaw in Hub Trust Validation Allows OAuth Token Interception

A logic flaw in Cryptomator version 1.19.1 has been identified, allowing an attacker to bypass security measures and intercept OAuth tokens. This vulnerability arises from the 'CheckHostTrustController.getAuthority()' method, which incorrectly hardcodes the URI scheme based on port numbers. As a result, HTTPS URLs on port 80 are treated the same as HTTP URLs, undermining security checks. An attacker with write access to a cloud-synced 'vault.cryptomator' file can exploit this flaw by crafting a Hub configuration that uses HTTPS with port 80 for certain endpoints, while downgrading the token exchange to plaintext HTTP. This issue has been addressed in version 1.19.2.

Impact

Exploitation of this vulnerability allows for the interception of OAuth tokens during the exchange process, enabling unauthorized access to the Cryptomator Hub API as the victim.

Reproduction

To reproduce this vulnerability, create a Hub vault synced with a cloud service. Then, modify the 'vault.cryptomator' file to include a Hub configuration that uses 'https://hub.cryptomator.cloud:80' for the 'apiBaseUrl' and 'authEndpoint', while setting the 'tokenEndpoint' to 'http://auth.cryptomator.cloud' (without the port 80). When the vault is unlocked in Cryptomator, the OAuth token will be sent over HTTP, where it can be intercepted by an attacker.

Remediation

Users can update to Cryptomator version 1.19.2, which includes the necessary fix for this vulnerability.