Flaws in deleted keybase kept chat software#
Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates. We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux. "Zoom takes privacy and security very seriously and appreciates vulnerability reports from researchers. Keybase Teams is a tool in the Group Chat & Notifications category of a tech stack.
Flaws in deleted keybase kept chat update#
Update 17.14 GMT: A Zoom spokesperson told ZDNet: Public disclosure was held back until February 22 to give users time to apply the update and Jackson was awarded $1,000 for his report. A fix was issued on January 23 which resolved the bug and also cleared out all of the images on clients that should have been previously wiped. The vulnerability was reported through Keybase's bug bounty program on HackerOne on January 9, 2021. The photos then can be stored insecurely on a case-by-case basis." "A user, believing that they are sending photos that can be cleared later, may not realize that occasionally pasted photos are not cleared from the cache and may send photos of credentials, etc, to friends or may even send other sensitive data. This is a post from Read the original post: Deleted Keybase chat images retrievable on Windows, macOS, Linux. Here’s how it kept chat images that were retrievable. "An attacker that gains access to a victim machine can potentially obtain sensitive data through gathered photos, especially if the user utilizes Keybase frequently," Jackson said. Keybase is owned by Zoom and currently has almost half a million privacy-focused users. In a blog post today, Keybase said: Initially, our single top priority is helping to make Zoom even more secure. This does mean that the issue remains local however, even local vulnerabilities need to be patched rapidly by services that promote themselves as privacy-centric. However, the fate of Keybase’s existing products is a bit murky. On Mac machines, all it took to recover this content was to view the directory, but on Windows, image file extensions would need to be changed to. Even if a user had set the content to 'explode' or delete, the cache still contained residual image files as Keybase failed to adequately clear them. Security Week Exclusive: Flaws in Zooms Keybase App Kept Chat Images From Being Deleted Paul Roberts, The Security Ledger. Jackson examined the client and saw that inside the Keybase uploadtemps and cache directories, photos that had previously been pasted into conversations were available and were not encrypted.
Identified by John Jackson, the penetration tester and Sakura Samurai founder said in a blog post on Monday that Keybase clients before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, are impacted.