The vulnerability was quickly replicated on Windows by navigating to the Roaming folder of the AppData directory:Ĭ:\Users\usernamehere\AppData\Roaming\Keybase\Cache It was easily seen within mac because of the fileviewer functionality, but on windows a user has to change the file extension from its native extension to. ![]() In other words, a user could send a photo to another user via a private conversation, and click on the “delete” or “explode” button and the photo could still be recovered via the “Cache” directory due to the insufficient cache clearing issue/lack of encryption of the content. In addition, the directory even included images that other users had sent us. The issue was similar in the sense that images were also being stored in this directory, unencrypted, however – the amount of images stored were far more in quantity than in the “uploadtemps” directory. ~/Library/Application Support/Keybase/Cache Sakura Samurai began to investigate further and that’s when a similar issue was discovered within the “Cache” directory of the Keybase Client for macOS: Users/usernamehere/Library/Caches/Keybase/uploadtemps Additional Escalation Robert investigated the issue further while Cottle & Henry quickly spun up an instance of Keybase on macOS and were able to determine that the issue also existed on these platforms, but utilizing a slightly different filesystem path: John noticed that inside of these folders, photos that had been previously pasted into conversations remained, unencrypted.Īt this point, John decided to call in Aubrey Cottle, Jackson Henry, and Robert Willis to investigate the issue further. The directory contained randomized folders: Within several minutes, John noticed a directory named “uploadtemps”Ĭ:\Users\yourusername\AppData\Local\Keybase\uploadtemps You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or mute the thread.During security research, John Jackson stumbled upon the Keybase Client directories and decided to take a look considering Keybase operates a Bug Bounty Program. Original message -From: Jack Platten Date: 02:49 (GMT+00:00) To: keybase/keybase-issues Cc: DavidRaw, Mention Subject: Re: Keybase install of deleted phone app and verifying the device ( #3554) It shows paper keys under devices so I made the assumption that he does not have any paper keys. Yes I can see keys under devices I will look at the reset link you sent maybe that enables me to input the keys?Thank you for helping.Sent from my Samsung Galaxy smartphone. ![]() "description": "View this Issue on GitHub", "url": " #3554?email_source=notifications\u0026email_token=AHOKRSTTBFVCGPWO25QV2W3QKM23TA5CNFSM4IYA24GKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7CWCHQ#issuecomment-533029150", "target": " #3554?email_source=notifications\u0026email_token=AHOKRSTTBFVCGPWO25QV2W3QKM23TA5CNFSM4IYA24GKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7CWCHQ#issuecomment-533029150", You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or mute the thread. Original message -From: Lucky225 Date: 09:37 (GMT+00:00) To: keybase/keybase-issues Cc: DavidRaw, Author Subject: Re: Keybase install of deleted phone app and verifying the device ( #3554) Perhaps the issue is that I deleted keybase off my PC and I log in through keybase.io? I can see I have 2 devices in account and various keys.I downloaded the software but it asked me to confirm with another device and then I am stuck?Thank youSent from my Samsung Galaxy smartphone. ![]() I do not see the functionality with keybase to add a device. There's no bluetooth involved here it will present a QR code for you to scan from your phone. On your PC that has keybase you need to got to Devices > Add Device FROM THE KEYBASE APPLICATION - not from your OS. I then tried my laptop instead and logged in to key base repeated whole process again and linked my phone to Laptop via bluetooth but again nothing on the PC happens I have a barcode on phone or a secret phrase option but nothing going on on the PC or Laptop. Here I am stuck ? I proceeded by trying to connect my phone to my PC via bluetooth? but no luck. I then get a screen saying 'On home computer, go to Devices Add Device New Phone. ![]() It then asks I set a public name for this phone: pick a device name. As I am on my phone I choose home computer. Which of your existing devices would you like to choose' I then get a message 'For security reasons, you need to authorise with an existing device. On phone I choose log in, enter my user name. Needed to reinstall keybase app on phone as had deleted it. I logged in to keybase on my PC and can see I have 2 devices.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |