Encrypted data is leaked in plain text to the startup drive

Jeff

[edit: this could possibly be considered a “feature request” rather than a “bug” - let’s just say it’s an “issue”.] People may have the expectation that their files are stored encrypted in the cloud and not saved on their computer in an unencrypted form after they sign out. However, both the desktop app and the browser version drop plain-text copies of documents onto the user’s computer, as well as the encryption key, in the IndexedDB storage. That’s not obvious to the casual user, but could easily be read by anyone poking around the computer - for example on a computer at the office or a friend’s place used to sign in to the web app, or a laptop or phone search at a border crossing.

See my post on Slack for details.

Jorge

Jeff I am also very concerned about the security of the info and took a look a the local storage and couldn’t find anything unencrypted there.

Jeff

Jorge Did you read the Slack post? I’m just copying it to the new forum so the issue doesn’t get lost. The unencrypted information is inside the IndexedDB file, which is an sqlite file at least on Firefox. You need an sqlite browser or a hex editor to look at the file. Details below.

To be fair, Legend promises “end-to-end encryption” over the network, but not necessarily that it’s encrypted on the end point device. The same applies to other apps like Signal. That might not be clear to many people though, so some warnings or disclaimers are maybe in order.

Here’s a copy of what I wrote on Slack:

I’m not a security expert, so I spent a few hours today looking into this. You said “Browsers encrypt the IndexedDB storage file themselves, so that should not be a weak link.” But I can’t find any evidence of that, everything I read says that IndexedDB is not encrypted by the browser. Where would it store the key? See e.g. the comments on this page.

I looked at the IndexedDB sqlite file in my Firefox 89 profile folder, and it does indeed contain the unencrypted ascii text of my Moo.do documents. It’s a little scrambled, but I could easily read it with a hex editor or sqlite browser. After I logged out and quit the browser, the IDB files were still there. Most of the text had been cleared out, though there was at least one sentence from one of my documents, and some other information. Similarly, in the desktop app’s .Idb files, I could read the unencrypted text of my documents. In this case though, when I logged out and quit the app, the entire text remained in the files, it was not cleared.

I’d say this is a weak link in some circumstances, since Moo.do leaks its data onto the hard drive in an unencrypted plain-text form. Simply deleting or clearing a text or sqlite file isn’t sufficient to destroy the data. For example, another user attempting to recover a file they deleted using off-the-shelf recovery software may inadvertently discover parts of old Moo.do documents, and this could happen on any shared computer at home or at work. In some systems, an SSD with TRIM reduces the chances of erased text being recovered, but not 100% - especially in higher-risk situations like a border search or seizure of a laptop or phone. In the case of the desktop app, the text isn’t even deleted on logout - the app leaves unencrypted copies of the Moo.do documents behind, that anyone can easily find and read with a hex editor.

You mention that “the generated encryption key is stored in IndexedDB, where it is secure and cannot be exported.” I guess this means you’re using the CryptoKey API. But the “cannot be exported” only applies to exporting via javascript in the browser. If someone has access to the IDB file on disk, the key can also easily be read out. See this presentation. Posession of the key would require the Moo.do login password to access documents in the cloud, but this could be requested by law enforcement, defeating the zero-knowledge encryption.

Some of these issues aren’t exclusive to Moo.do. If you’re storing a persistent private key on a user’s device for convenience, there are going to be tradeoffs. One option, if possible, might be to store only encrypted data in IDB, rather than the unencrypted plain text, and an option to store the key only in RAM. That could improve the security at the cost of having to enter the encryption password every browser restart. If you’re advertising “extreme privacy”, maybe an independent security audit would be valuable. To be honest, given the disparity between what you wrote about the security of the IDB storage, and what I found out myself, plus Mozilla’s warning about using the crypto API, I have to wonder if there are other parts of Moo.do’s privacy chain that have weak links. One related thing I noticed is that in the desktop app, “Enable automatic backups” seems to be checked by default when you install it. You might want to not do that. When you check “encrypt local files”, how is the key derived, and is it also stored unencrypted in IDB? An option to automatically log out when you quit the desktop app might also be helpful in a work environment.

Having said all this, I’m still going to prefer Moo.do over Dynalist or the others, where the documents are stored in the cloud without any encryption, and open to employees, hackers, or government requests to read. But I’m not going to log in to my Moo.do account on a work computer, due to the data leakage, and I’d feel better if unencrypted copies of my documents and encryption key weren’t cached in the browser or desktop app even on my own machine.

Jay replied:

Thank you for all of this information!I’m not sure why I thought that IndexedDB is encrypted - I thought I thought I had read that somewhere… All of the consideration we’d put into security and encryption was related to the safety of the network and backend storage, and we’d never really thought about untrustworthy local storage or put any effort into that level of privacy.

When you encrypt local files it uses the same encryption key as would be used on synced documents (stored in IndexedDB), a generic key by default or a key derived from your user password with PBKDF2.

I think adding more local storage related privacy options will be an interesting direction to go in the future. Encrypting the data before saving it into IndexedDB and not saving the CryptoKey at all could be a good solution, and would just require entering the password on every load. That could be a good option for super privacy focused people. We’re planning a re-structuring of how data is synced in a few months, so that would be a good time to design for local storage privacy too.

ahp

Jeff We’re planning a re-structuring of how data is synced in a few months, so that would be a good time to design for local storage privacy too.

@Jay assuming you’re close to releasing the new backend, will local storage privacy make the cut? I am attempting to use Legend for work and personal use, but I would not want to have personal data/files be stored unencrypted/in plain text on a corporate device cache.

Jeff

Since the option to encrypt local files has been removed from Legend, a solution I’ve been using is to set “Save local files in:” in the settings to a separate encrypted disk image that can be unmounted when I’m not using it, or when the computer reboots. It might be nice if the “automatic backups” location was also configurable in the settings, so that they could be stored there too. As a workaround, I made a link in the filesystem. Unfortunately, after changing from the Moo.do desktop app to Legend, it didn’t occur to me that it would change the backups location, and it copied all my encrypted local files unencrypted to the startup disk.

@Jay , I’d like to know other than that if any parts of local files are saved or cached unencrypted to the startup disk. I looked in the idb file in (on Mac) ~/Library/Application Support/Legend/Partitions/main/IndexedDB but couldn’t see any text from local files. Does it just use the local .json files in the docs folder directly? Is there anywhere else data might leak to, a cache or container folder outside the Application Support one?

What If I just move and link the whole “Application Support/Legend” folder to the encrypted disk image, would that cause any problems? I guess that would also solve the problem of the cloud files being cached unencrypted in the idb file, as long as I don’t use it in the browser. Would it make sense if the location of the whole folder could be specified in the settings?

Jorge

Jeff I have moved my whole Legend data folder to another disk (other than the startup) and it works perfeclty. I just placed a hard link in the original location in the startup disk pointing to the destination in the secondary drive and it works flawlessly.

Jeff

Jorge thanks. I went ahead and moved my whole Legend desktop app data folder over, and made a link to it from the original place on the startup disk (on the Mac, ~/Library/Application Support/Legend). As far as I can tell, it seems to be working ok. It would be good to know if there’s anywhere else on the startup disk that unencrypted data or passwords/keys might be stored or cached. I looked in ~/Library/Containers and ~/Library/Caches, and didn’t see anything. Swap files on the Mac are encrypted, so that should be ok, as long as the computer is shut down or restarted. If I unmount the disk, Legend won’t start up, and if I mount it again it looks like it works normally, which is what I want.

The main reason for doing this is in case I can’t operate my computer, and a family member needs to. I’d prefer if they couldn’t just open Legend and read my personal notes, diary, etc. I don’t expect anyone to be poking around with a hex editor, but you never know I guess.