Windows 10 News and info | Forum
September 23, 2018, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or Forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Keybase Browser Extension Could Allow Sites to See Messages  (Read 36 times)
javajolt
Administrator
Hero Member
*****
Online Online

Gender: Male
United States United States

Posts: 28947


I Do Windows


WWW Email
« on: September 08, 2018, 06:25:11 PM »
ReplyReply

The browser extension for the Keybase app fails to keep the end-to-end encryption promise from its desktop variant.

Keybase is a communication and collaboration application focused primarily on securing the traffic from source to destination through public-key cryptography.

Wladimir Palant, the maker of popular AdBlock Plus content filtering tool, looked at how the web extension for Keybase works and noticed that the messages it sends are exposed to third-party JavaScript code.

The extension adds a "Keybase Chat" button into profiles pages for Facebook, Twitter, GitHub, Reddit, and Hacker News. Clicking on the button opens a chat window where users can type their message.

"When you compose your text and 'send' it, the extension passes it to your local copy of Keybase, which encrypts the message and sends it through Keybase chat," informs the FAQ section for the Keybase Chrome and Firefox extension.

Third-party JavaScript can read your messages

And herein lies the issue signaled by Palant: messages are not encrypted until they reach the desktop app; Keybase injects its button into web pages, but it does not isolate itself from them.

"So the first consequence is: the Keybase message you enter on Facebook is by no means private. Facebook’s JavaScript code can read it out as you type it in, so much for end-to-end encryption," Palant explains.

Two scenarios that make the risk obvious is having the web browser or the social network's JavaScript code compromised.

Palant offers a recommendation for fixing this issue, and that is by using an iframe.

Keybase's response to the developer's suggestion was that technical reasons obstructed insulation through Frames.

Palant's recommendation is to uninstall Keybase browser extension as soon as possible. You should heed to this especially if you're using Keybase for sensitive communication.

source
« Last Edit: September 08, 2018, 06:30:07 PM by javajolt » Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page September 18, 2018, 11:29:08 AM