Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Saturday September 08 2018, @03:06PM   Printer-friendly
from the couldn't-care-less-or-could-they? dept.

Software developer Wladimir Palant has written a blog post explaining a fatal shortcoming in Keybase's browser extension. Keybase claims to offer end-to-end encryption for chat and file sharing despite being inside a browser. The browser extension is apparently flawed in that when it inserts itself into third-party web sites, it fails to remain isolated from the third party sites and thus potentially exposes all secret information or even allows the forging of messages and files under the compromised identity. The response from Keybase to Wladimir has been underwhelming.

Two days ago I decided to take a look at Keybase. Keybase does crypto, is open source and offers security bug bounties for relevant findings — just the perfect investigation subject for me. It didn't take long for me to realize that their browser extension is deeply flawed, so I reported the issue to them via their bug bounty program. The response was rather... remarkable. It can be summed up as: "Yes, we know. But why should we care?"

His recommendation is to uninstall the Keybase browser extension as soon as possible. The status of the phone application is unclear, as he has not looked into it.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Sunday September 09 2018, @06:38AM

    by Anonymous Coward on Sunday September 09 2018, @06:38AM (#732410)

    That's funny; my experience with Keybase desktop was really poor. I always assumed mobile must be better because people use it at all.

    Soooooo Just wanted to crash party and say:

    Keybase -1