Blog / Security Fixes with 1.1.4 Update

Cryptomator 1.1.4 for Windows, OS X, and Linux fixes two (related) vulnerabilities allowing malicious Flash files being injected into vaults, that can be executed to “bypass” the SOP and access files from a Flash-enabled browser (GitHub Issues 318 & 319). Kudos to Lukas Reschke for reporting them!

Various bugs with Dropbox, Google Drive, Windows drive letters, the Windows Registry and WebDAV access on Linux were also fixed. A complete list of closed issues is available here.

What’s next?

  • We’re making progress with the Android app. If everything goes as planned, you can expect a first beta release next month. We’ll send out invitation links to those who have expressed interest in participating in the beta. Stay tuned!
  • We plan to improve the desktop app compatibility- and performance-wise by integrating FUSE/Dokany (PFM has been suggested instead of Dokany, we’re still evaluating this). Hopefully, we can launch a first beta with these major changes by the end of this year.
  • Due to these major development efforts we have been modularizing the cryptographic relevant libraries into cryptolib and cryptofs under the GPL license. In that way, it’s easier for us to use the same libraries across multiple apps and also for third parties to use them independent of our main application. These libraries aren’t final yet.
  • We haven’t planned our 1.2 milestone yet, but the  has been highly requested and is probably the biggest contender right now. We hear you and we’d like to thank you for all your feedback! 😄