Keybase Browser Extension Is Allowing Sites To See User’s Messages

The Keybase app browser extension has failed to fulfill the promise of end-to-end encryption to users from its desktop variant. Keybase is primarily focused on securing the communication and collaboration of the users using public key cryptography.

Who Discovered The Flaw?

The flaw was discovered by the author of the popular extension named AdBlockPlus, Wladimir Palant, as he noticed the messages that are sent by this extension are exposed to the third party JavaScript Code. The extension adds a “Keybase Chat” button in the Social Profile of Facebook, Twitter, Reddit and GitHub. The user can click on the button and it opens a chat window where the users can type their message.

“When you compose your text and ‘send’ it, the extension transfers it to your local copy of Keybase, which encrypts the message and sends it through Keybase chat,” advises the FAQ section for the Keybase Chrome and Firefox extension.

Where Is The Flaw?

The messages are not actually encrypted until they reach the desktop app which allows the third party JavaScript to actually read the content of the messages and even when the users enter a message in KeyBase a JavaScript code in another extension can actually read the message.

“So the first consequence is: the Keybase message you enter on Facebook is by no means private. Facebook’s JavaScript code can read it out as you type it in, so much for end-to-end encryption,” Palant explains.

Palant recommended the users to uninstall the browser extension and opt for other encryption platforms if you are using this application for communicating sensitive data. Palant has also offered a recommendation for fixing this issue by just using an iFrame.

Take your time to comment on this article.

Related posts

Apple Addressed Two Zero-Day Flaws In Intel-based Macs

Really Simple Security Plugin Flaw Risks 4+ Million WordPress Websites

Glove Stealer Emerges A New Malware Threat For Browsers