Home / GitHub Page

Security Concern - Found Unencrypted Content in .config File

Hi. Posting this because I am concerned I might have uncovered a security flaw with the encrypted feature of the app.

First, I elected to have my content encrypted according to the app’s settings. I thought I was golden until I ran across a hack. I am running the lastest version of Joplin and macOS 10.15 Catalina.

In macOS, if you open the .config file via Terminal, inside is a folder called “resources.” If you open the resources folder you will see a listing of your content but NOT all of it is encrypted as I thought. The text notes part is encrypted but NONE of the PDFs, JPGs, or anything else is encrypted. This is bad because for example what if I took a screenshot of backup security codes. That file would fully viewable.

Did I uncover a security hole? Are the developers aware of this? If so, I urge them to look at it and see if they can also get that content encrypted.

local data is not encrypted

What about the data I am syncing with Dropbox. Is that encrypted?

yes (if you use E2EE)

Does this vulnerability concern you or others?

Me, no. Others, yes.

There have been countless discussions on this forum and on github. I won’t repeat my reasoning. Please search for the topics on this forum.

2 Likes

Okay. I wlll. I did a quick search and didn’t find anything, thus I posted my question. I’ll try another search. Thanks for the quick answer.

This is addressed in this pull request https://github.com/laurent22/joplin/pull/3207