- #Flaws keybase app kept images being software#
- #Flaws keybase app kept images being code#
- #Flaws keybase app kept images being windows#
A user, believing that they are sending photos that can be cleared later, may not realize that sent photos are not cleared from the cache and may send photos of PII or other sensitive data to friends or colleagues.” “An attacker that gains access to a victim machine can potentially obtain sensitive data through gathered photos, especially if the user utilizes Keybase frequently. However, in the context of an end-to-end encrypted communications application like Keybase, the failure takes on added weight, Jackson wrote. In most cases, the failure to remove files from cache after they were deleted would count as a “low priority” security flaw.
#Flaws keybase app kept images being software#
Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates,” the spokesman said.
#Flaws keybase app kept images being windows#
“We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux. In a statement, a Zoom spokesman said that the company appreciates the work of the researchers and takes privacy and security “very seriously.” The application used a custom extension to name the files, but they were easily viewable directly or simply by changing the custom file extension to the PNG image format, Jackson said. Sakura Samurai members Aubrey Cottle ( Robert Willis ( Jackson Henry ( discovered an unencrypted directory, /Cache, associated with the Keybase client that contained a comprehensive record of images from encrypted chat sessions. Clearly there was some kind of software error – a collision of sorts – where the images were not getting cleared.”ĭiscovering that flaw put Sakura Samurai researchers on the hunt for more and they soon struck pay dirt again. “In general, when you would copy and paste in a Keybase chat, the folder would appear in (the uploadtemps) folder and then immediately get deleted,” Jackson told Security Ledger in a phone interview. First: Jackson discovered that images that were copy and pasted into Keybase chats were not reliably deleted from a temporary folder, /uploadtemps, associated with the client application. Zoom said it has fixed the flaw in the latest versions of its software for Windows, macOS and Linux.Īccording to researcher John Jackson of Sakura Samurai, the Keybase flaw manifested itself in two ways.
The flaw was discovered by researchers from the group Sakura Samurai as part of a bug bounty program offered by Zoom, which acquired Keybase in May, 2020. However, it could put their security, privacy and safety at risk, especially for users living under authoritarian regimes in which apps like Keybase and Signal are increasingly relied on as a way to conduct conversations out of earshot of law enforcement or security services. The flaw in the encrypted messaging application ( CVE-2021-23827) does not expose Keybase users to remote compromise. I'm not saying that's what will happen, but on the balance it means Keybase could have a much longer lifespan being owned by Zoom than as a startup.Exclusive: Flaws in Zoom’s Keybase App Kept Chat Images From Being DeletedĪ serious flaw in Zoom’s Keybase secure chat application left copies of images contained in secure communications on Keybase users’ computers after they were supposedly deleted. Being acquired by a big company means that the servers can keep humming with no expectation of becoming profitable. Keybase was funded by VC money and those investors expect to get their money back someday. Maybe they will shut down Keybase, or cut back storage quotas, or add paid plans. In short, it would be a monumentally stupid waste of money for very little gain. It would basically be flushing their Keybase acquisition down the toilet and undo all the other work they've done trying to turn the page.
#Flaws keybase app kept images being code#
None of that means anything if they stick a bunch of ads and tracking code into Keybase. Zoom has a horrible privacy reputation which is why they're spending lots of cash hiring new talent, getting audited, and revising their code and policies. The Keybase client, where all the important stuff happens, is open source, and we'll know if anything gets changed there. The whole point of the system is that even if Zoom published the entire Keybase DB in a public S3 bucket it would be of no use to anyone. It would be a great move by Zoom to open source it but you don't need to audit it to know that your data is secure, any more than you need to see the source of Gmail's backend to trust a signed and encrypted PGP email. All the Keybase backend does is take encrypted blobs of data that it can't read and ship them to one or more destinations.
0 kommentar(er)
