Impact

When an access token expires and the subsequent updateToken() call fails (e.g., because the refresh token has also expired or Keycloak is unreachable), the Cryptomator Hub single-page application (SPA) does not immediately redirect the user to the login page or clear sensitive state. Instead, the application can remain on previously loaded views containing sensitive data (such as vault details with recovery keys or user profiles with account keys).

As these views are rendered and cached on the client's device, sensitive information remains visible in the browser until the user closes the tab, navigates to a different page within the application, or reloads the application — even though the server session is no longer valid.

Who is impacted:
All users of the Cryptomator Hub web client authenticated via Keycloak are potentially affected, especially when working with sensitive views.

Possible consequences:

• Information Disclosure via Stale UI: Sensitive data remains visible locally after the session has expired, enabling potential local/shoulder-surfing attacks.
• Perceived Policy Bypass: From the end-user perspective, SSO idle or maximum session policies appear ineffective because the UI does not update to reflect the expired session.

Patches

The issue is fixed in version 1.4.5 by:

• Detecting refresh failures and unauthenticated states.
• Redirecting to the login screen when the refresh token is expired or multiple refresh attempts fail.

Workarounds

If you want to ensure that you are not affected by this incident with opened Cryptomator Hub browser tabs before the update, close the tab or log out explicitly before leaving your device unattended.

References

Fixed in a1c4713