About | Blog | Contact | Newsletter

Keybase.io Vulnerability

You can read about the issue I discovered at Keybase.io here: Vulnerability Report.

Due to the font they chose, I could impersonate any user with a zero, capital "o", lowercase "L", or capital "i" in their name. The details were iffy, I would also need to be able to register a twitter and github with the same name.

This might not initially sound like a significant finding, but below are two images that show just how serious this vulnerability is.

I was able to almost perfectly impersonate the co-founder of the site. One thing I accidently did was register "maigorithms" instead of "maLgorithms" on keybase. This was because I had just typed "maigorithms" twice on twitter and github.

The problem they can't fix

There is a certain problem keybase is unable to resolve. Keybase users may expect a user to on keybase to have the same keybase account name (and url) as twitter and github. For example, "http://twitter.com/ev" - Is the founder of twitter.http://keybase.io/ev - Is me, with a picture from the real ev's twitter.

What happens when I verify a github as ev as well? How many hits would keybase.io/ev get of users expecting to find the owner of twitter.com/ev.

This isn't a technical problem...it is a people problem. Obviously it is the users job to not trust and verify, but what happens when the user falls into the trap of trust?

ejj, March 2014