

Keybase.io Vulnerability (2014) - hargikas
http://ejj.io/keybase-io-vulnerability/

======
bufordsharkley
I don't think the amount of carefulness that a keybase user needs to do is
unreasonable. (In other words, the person who gets tricked here may be
unreasonably lazy)

For instance, the hypothetical "I want to track twitter.com/ev" person, who
tries "keybase track ev".

Keybase client responds with:

✔ public key fingerprint: 1206 AE26 8AD6 8171 5390 7EC5 2E5D F3D2 4DC0 DE19 ✔
"not_ev" on twitter:
[https://twitter.com/not_ev/status/448871129671680001](https://twitter.com/not_ev/status/448871129671680001)
Is this the ev you wanted? [y/N] n

...To which, it's not unreasonable to expect any person to note that this
person is "not_ev". It would be really sloppy to pull the trigger on this.

I would recommend personally clicking through all the Twitter/Github links to
make sure they're not some carefully made impersonator account, but even doing
the bare minimum (reading the output of "keybase track") should get you there.

------
patmcc
I think this is a really strong post, because it reminds us that not all
vulnerabilities are purely technical. Like a very clever and specialized
phishing attack.

As an aside: if anyone wants a keybase invite hit me up, I've still got 7
free.

------
ewzimm
The title is not really useful. It's a font issue that was fixed a year ago on
a pre-alpha, but it does point out that any project trying to simplify
something needs to consider the possible attack vectors exposed. You always
have to assume your users will be sloppy and lazy because at least some of
them will be. They fixed this right away, but I'm sure they had to consider a
lot of other user errors since. Maybe next generation IDEs will have to test
for likely mistakes.

------
rubbsdecvik
March 2014

Also posted a year ago:
[https://news.ycombinator.com/item?id=7487797](https://news.ycombinator.com/item?id=7487797)

------
olalonde
Reminds me of that 𝒖𝒏𝒊𝒄𝒐𝒅𝒆 based phishing attack on Coinbase:
[http://www.reddit.com/r/Bitcoin/comments/2lt76n/warning_coin...](http://www.reddit.com/r/Bitcoin/comments/2lt76n/warning_coinbase_oauth_phishing_attack_allows/)

------
mholt
As the post says, this isn't a vulnerability in Keybase; it's a vulnerability
in anyone who assumes that people use the same username on different sites.

~~~
steakejjs
Hey this is my blog post and that's not all it says. At the time, keybase used
a font allowed me to perfectly copy (and make it look like twitter/github was
verified) people's profiles.

Totally a lame vulnerability? Yes. Pretty effective? Also yes. If you go back
in the github issue[1], it was even good enough to fool Chris, who founded the
site, for 10 seconds.

[1] [https://github.com/keybase/keybase-
issues/issues/397](https://github.com/keybase/keybase-issues/issues/397)

------
EpicDavi
Somebody did this with my school district on Twitter recently. They replaced a
lowercase l with a capital I, and it looked the same with Twitter's font. The
profanity they were tweeting was pretty hilarious.

