Author Topic: Keybase Browser Extension Could Allow Sites to See Messages  (Read 267 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35125
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Keybase Browser Extension Could Allow Sites to See Messages
« on: September 08, 2018, 06:25:11 PM »
The browser extension for the Keybase app fails to keep the end-to-end encryption promise from its desktop variant.

Keybase is a communication and collaboration application focused primarily on securing the traffic from source to destination through public-key cryptography.

Wladimir Palant, the maker of popular AdBlock Plus content filtering tool, looked at how the web extension for Keybase works and noticed that the messages it sends are exposed to third-party JavaScript code.

The extension adds a "Keybase Chat" button into profiles pages for Facebook, Twitter, GitHub, Reddit, and Hacker News. Clicking on the button opens a chat window where users can type their message.

"When you compose your text and 'send' it, the extension passes it to your local copy of Keybase, which encrypts the message and sends it through Keybase chat," informs the FAQ section for the Keybase Chrome and Firefox extension.

Third-party JavaScript can read your messages

And herein lies the issue signaled by Palant: messages are not encrypted until they reach the desktop app; Keybase injects its button into web pages, but it does not isolate itself from them.

"So the first consequence is: the Keybase message you enter on Facebook is by no means private. Facebook’s JavaScript code can read it out as you type it in, so much for end-to-end encryption," Palant explains.

Two scenarios that make the risk obvious is having the web browser or the social network's JavaScript code compromised.

Palant offers a recommendation for fixing this issue, and that is by using an iframe.

Keybase's response to the developer's suggestion was that technical reasons obstructed insulation through Frames.

Palant's recommendation is to uninstall Keybase browser extension as soon as possible. You should heed to this especially if you're using Keybase for sensitive communication.

source
« Last Edit: September 08, 2018, 06:30:07 PM by javajolt »