9/27/2023 0 Comments Flaws keybase app kept chat imagesThis does not work if Account A is truly logged out of the desktop client it only works if the desktop user has selected another account with the Keybase account switcher (by clicking on the “Hi !” dropdown in the top left).Ī time-delay factor comes into play here: if the desktop client is switched back to account A and the user then immediately clicks on the chat in question, the desktop client is prevented from detonating the explosion. If a message originates from Account A using a desktop client, and is then exploded - by any member of the chat, even Account A on mobile - while Keybase is still running on desktop, but Account A is logged out and Account B is logged in on that same desktop client, then, when Account A logs back into the same desktop client, the exploded message will still be visible. This feature is available on all Keybase clients, and when functioning as intended, exploded messages should instantly self-destruct across all devices that have access to a chat.Īfter identifying CVE-2021-34421, a mobile-only Keybase vulnerability in which exploding messages could be retained by moving the Keybase app out of the foreground, Olivia O'Hara aimed to discover whether there was a way to achieve the same result on Keybase desktop clients.Īfter examination, O’Hara identified multiple ways to retain exploded messages on desktop: Users can also manually explode messages if they decide the message is too sensitive for others to retain for the duration of that predetermined length of time. When activated, Keybase’s chat explode feature allows users to send a message, and then have it automatically “explode”-or self-destruct from all users’ devices-after a predetermined period of time. Olivia O’Hara - /oliviaohara Identification This process was not known to be tested on any Linux distributions. Zoom staff handled further Windows testing. This researcher used macOS platforms to identify and test the vulnerability, but was able to reproduce by following the same process on a Windows 10 VM (VirtualBox), simulating sleep with VirtualBox's "Save the machine state" option. This vulnerability affects desktop versions < 5.9.0. Using this method, an unscrupulous individual with access to a conversation could recover sensitive data. How does this work? When the Keybase desktop client is operating, a user can switch out of Keybase’s Chat tab and put their computer to sleep if a second user explodes a message in a shared chat during that time, the message will still be visible to the original user when they return to the chat. Wednesday, FebruCVE-2022-22779 :: Keybase App Vulnerability: Retained Exploded Messages in Keybase Clients for macOS and Windows In desktop versions of Keybase older than 5.9.0, users can easily retain "exploded" messages with a few clever clicks, meaning your sensitive chats may still be read after you want them gone.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |