![]() ![]() The flaw in the encrypted messaging application ( CVE-2021-23827 ) does not expose Keybase users to remote compromise. However, it could put their security, privacy and safety at risk, especially for users living under authoritarian regimes in which apps like Keybase and Signal are increasingly relied on as a way to conduct conversations out of earshot of law enforcement or security services. The flaw was discovered by researchers from the group Sakura Samurai as part of a bug bounty program offered by Zoom, which acquired Keybase in May, 2020. Zoom said it has fixed the flaw in the latest versions of its software for Windows, macOS and Linux.Īccording to researcher John Jackson of Sakura Samurai, the Keybase flaw manifested itself in two ways. ![]() First: Jackson discovered that images that were copy and pasted into Keybase chats were not reliably deleted from a temporary folder, /uploadtemps, associated with the client application. “In general, when you would copy and paste in a Keybase chat, the folder would appear in (the uploadtemps) folder and then immediately get deleted,” Jackson told Security Ledger in a phone interview. Clearly there was some kind of software error – a collision of sorts – where the images were not getting cleared.”Įxploitable Flaw in NPM Private IP App Lurks Everywhere, Anywhere ĭiscovering that flaw put Sakura Samurai researchers on the hunt for more and they soon struck pay dirt again. Sakura Samurai members Aubrey Cottle ( ), Robert Willis ( and Jackson Henry ( ) discovered an unencrypted directory, /Cache, associated with the Keybase client that contained a comprehensive record of images from encrypted chat sessions. ![]() In a statement, a Zoom spokesman said that the company appreciates the work of the researchers and takes privacy and security “very seriously.” The application used a custom extension to name the files, but they were easily viewable directly or simply by changing the custom file extension to the PNG image format, Jackson said. “We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux. Flaws in keybase kept chat images windows# Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates,” the spokesman said. Flaws in keybase kept chat images windows#įlaws in keybase kept chat images software#.Flaws in keybase kept chat images software#.Over the past week and a half, buy pressure on $ZM has been easing up – a clear bearish divergence can be spotted on the 4H chart. This acquisition announcement also comes at somewhat of a key time in terms of Zoom’s stock performance. ![]() On the flipside, mainstream consumers will see this headline as “Zoom partners with security company to enhance privacy features” – these are the people who likely didn’t care much about Zoom’s security flaws in the first place, so reading a headline like this will only make Zoom “even better” in their minds. Technical and privacy-minded people who respect Keybase may reconsider Zoom after this acquisition. Optics-wise, I think it’s a win for Zoom. Of course, if anything changes about Keybase’s availability, our users will get plenty of notice. Ultimately Keybase’s future is in Zoom’s hands, and we’ll see where that takes us. There are no specific plans for the Keybase app yet. Initially, our single top priority is helping to make Zoom even more secure. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |