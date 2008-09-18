Software developer Wladimir Palant has written a blog post explaining a fatal shortcoming in Keybase's browser extension. Keybase claims to offer end-to-end encryption for chat and file sharing despite being inside a browser. The browser extension is apparently flawed in that when it inserts itself into third-party web sites, it fails to remain isolated from the third party sites and thus potentially exposes all secret information or even allows the forging of messages and files under the compromised identity. The response from Keybase to Wladimir has been underwhelming.

Two days ago I decided to take a look at Keybase. Keybase does crypto, is open source and offers security bug bounties for relevant findings — just the perfect investigation subject for me. It didn't take long for me to realize that their browser extension is deeply flawed, so I reported the issue to them via their bug bounty program. The response was rather... remarkable. It can be summed up as: "Yes, we know. But why should we care?"

His recommendation is to uninstall the Keybase browser extension as soon as possible. The status of the phone application is unclear, as he has not looked into it.