Keybase.io Vulnerability

You can read about the issue I discovered at Keybase.io here: Vulnerability Report.

Due to the font they chose, I could impersonate any user with a zero, capital "o", lowercase "L", or capital "i" in their name. The details were iffy, I would also need to be able to register a twitter and github with the same name.

Below are two images that show just how serious this vulnerability is.

I was able to almost perfectly impersonate the co-founder of the site. One thing I accidently did was register "maigorithms" instead of "maLgorithms" on keybase. This was because I had just typed "maigorithms" twice on twitter and github.

Keybase's solution, was to force all usernames to lower-case upon presentation. This solves one problem, but I don't think it solves another problem with keybase.

The problem they can't fix

There is a certain problem keybase is unable to resolve. Keybase users may expect a user to on keybase to have the same keybase account name (and url) as twitter and github. For example,\n\nhttp://twitter.com/ev - Is the founder of twitter.\nhttp://keybase.io/ev - Is me, with a picture from the real ev's twitter.

What happens when I verify a github as ev as well? How many hits would keybase.io/malgorithms get of users expecting to find the owner of twitter.com/malgorithms.

What happens, when I have keybase.io/malgorithms and github.com/malgorithms. Do I even need to verify a twitter? How many users will be tricked by this. My bet is a lot and there is nothing keybase can do about it.

This isn't a technical problem...it is a people problem. Obviously it is the users job to not trust and verify, but what happens when the user falls into the trap of trust?

ejj, March 2014