Keybase is owned by Zoom and currently has almost half a million privacy-focused users.
John Jackson and researchers at Sakura Samurai have identified a flaw in the Keybase app. The app is regarded as one of the best for encrypted communication. This feature-rich app offers comprehensive privacy and security. However, Jackson reported in the company’s latest report that the bug could compromise Keybase users’ privacy.
Bug Affects Keybase App’s Picture Storing Mechanism
According to Jackson and his team, the bug carries the identifier CVE-2021-23827. It impacts the app’s cleartext image storing cache and is found in all desktop versions of the app across all platforms, including Windows, Mac, and Linux.
In the Keybase app, under normal circumstances, after deleting a picture or enabling the explode feature, which activates time-based deletion of images, the pictures are expected to be wiped from the app’s cache.
However, despite showing them as deleted, the pictures were neither removed on the local cache nor from the “uploadtemps” directories due to the bug. This means the images were still retrievable in cleartext format.
According to a blog post published by researchers, the bug also prevents the “uploadtemps” folder from getting immediately wiped, as it usually happens. Typically, the folder remains alive on the local storage until the image uploading action lasts.
Recovered and unencrypted image on WindowsImage: John J Hacking
If an attacker can establish local access on the device, they can easily access files, which the user believes have been deleted on Keybase. This could be detrimental for privacy-focused users as the primary reason they picked up Keybase is to keep their data secure from authoritarian regimes.
Flaw Fixed in January
The flaw in Keybase was identified during Zoom’s bug-hunting program after it acquired the project in May 2020. The flaw was reported to Zoom and fixed in Keybase 5.6.0 for Windows and Keybase 5.6.1 for macOS and Linux.
The patches were released on 23 January 2021, so if you are still using the old version, immediately update your Keybase client. For discovering this flaw, the Sakura Samurai team received a $1,000 bug bounty.