remove_red_eye 22
favorite_border 0
share

Keybase Browser Extension Is Allowing Sites To See User’s Messages

Keybase Browser Extension Is Allowing Sites To See User’s Messages

The Keybase app browser extension has failed to fulfill the promise of end-to-end encryption to users from its desktop variant. Keybase is primarily focused on securing the communication and collaboration of the users using public key cryptography.

Who Discovered The Flaw?

The flaw was discovered by the author of the popular extension named AdBlockPlus, Wladimir Palant, as he noticed the messages that are sent by this extension are exposed to the third party JavaScript Code. The extension adds a “Keybase Chat” button in the Social Profile of Facebook, Twitter, Reddit and GitHub. The user can click on the button and it opens a chat window where the users can type their message.

Where Is The Flaw?

The messages are not actually encrypted until they reach the desktop app which allows the third party JavaScript to actually read the content of the messages and even when the users enter a message in KeyBase a JavaScript code in another extension can actually read the message.

Palant recommended the users to uninstall the browser extension and opt for other encryption platforms if you are using this application for communicating sensitive data. Palant has also offered a recommendation for fixing this issue by just using an iFrame.

Leave Comment

message
email
person