Secure messaging app says ’it’s not worth a fix’

The browser extension for Keybase, an encrypted social messaging app, is failing to protect its users from malicious third-parties, a researcher has warned.

The plug-in, which is designed to facilitate secure and easy communication on social media platforms like Facebook, uses a third-party chat function to transfer messages back to the Keybase app.

This means that a user can send a Keybase message over Facebook, for example, by clicking on the chat button that appears on their profile after installing the browser extension.

While this allows users to strike up a conversation on any social media platform via Keybase, messages sent in such a way are not being encrypted, says Wladimir Palant, creator of the content-filtering tool Adblock Plus.

“The Keybase message you enter on Facebook is by no means private,” said Palant, having reported the issue to Keybase’s bug bounty program earlier this week.

“Facebook’s JavaScript code can read it out as you type it in, so much for end-to-end encryption.”

Concerns with browser extensions have been wide-ranging, as lapses in security can result in third parties collecting user information for advertising, or even worse, in falling victim to exploited vulnerabilities found in the websites they are integrated with.

“So if hundreds of people complain about you sending them spam messages via Keybase, it might be somebody exploiting the Keybase extension on your computer via an XSS vulnerability in Reddit,” said Palant.

“Have fun explaining how you didn’t do it, even though the messages were safely encrypted on your computer.”

Isolating websites to their own process tends to be an easy resolver for security concerns, and one that was added to Chrome by default in July in order to prevent the spread of attacks like Spectre.

“By isolating all of the extension’s user interface in an <iframe> element, this would prevent both the website and other extensions from accessing it,” said Palant.

But, according to Palant, Keybase was less than concerned that their promise of end-to-end encryption did not extend to its browser extension feature, citing technical reasons for iframes not working, and that it wasn’t “worth a fix”.

Keybase, which has less than 2,000 daily browser extension users, does highlight these security concerns on its download page, saying that sensitive chat should be reserved for its app if someone fears that their browser or social media platform has been compromised. Only the first message sent, Keybase noted, goes through the extension, making it the only one that's potentially vulnerable.

Speaking to The Daily Swig, Max Krohn, Keybase co-founder, said: "We described very clearly in the extension's launch announcement and in the 'getting started' page that it [the Keybase browser extension] works under the assumption that the page you're looking at – or your browser, for that matter – is not compromised at the time you use it."

Krohn added: "The alternative, DM'ing without the Keybase extension, assumes the host site is never compromised at all, even in the future."

Palant, on the other hand, recommends users uninstall the extension.