I don't think the amount of carefulness that a keybase user needs to do is unreasonable. (In other words, the person who gets tricked here may be unreasonably lazy)
For instance, the hypothetical "I want to track twitter.com/ev" person, who tries "keybase track ev".
...To which, it's not unreasonable to expect any person to note that this person is "not_ev". It would be really sloppy to pull the trigger on this.
I would recommend personally clicking through all the Twitter/Github links to make sure they're not some carefully made impersonator account, but even doing the bare minimum (reading the output of "keybase track") should get you there.
I think this is a really strong post, because it reminds us that not all vulnerabilities are purely technical. Like a very clever and specialized phishing attack.
As an aside: if anyone wants a keybase invite hit me up, I've still got 7 free.
The title is not really useful. It's a font issue that was fixed a year ago on a pre-alpha, but it does point out that any project trying to simplify something needs to consider the possible attack vectors exposed. You always have to assume your users will be sloppy and lazy because at least some of them will be. They fixed this right away, but I'm sure they had to consider a lot of other user errors since. Maybe next generation IDEs will have to test for likely mistakes.
As the post says, this isn't a vulnerability in Keybase; it's a vulnerability in anyone who assumes that people use the same username on different sites.
Hey this is my blog post and that's not all it says. At the time, keybase used a font allowed me to perfectly copy (and make it look like twitter/github was verified) people's profiles.
Totally a lame vulnerability? Yes. Pretty effective? Also yes. If you go back in the github issue[1], it was even good enough to fool Chris, who founded the site, for 10 seconds.
Somebody did this with my school district on Twitter recently. They replaced a lowercase l with a capital I, and it looked the same with Twitter's font. The profanity they were tweeting was pretty hilarious.
For instance, the hypothetical "I want to track twitter.com/ev" person, who tries "keybase track ev".
Keybase client responds with:
✔ public key fingerprint: 1206 AE26 8AD6 8171 5390 7EC5 2E5D F3D2 4DC0 DE19 ✔ "not_ev" on twitter: https://twitter.com/not_ev/status/448871129671680001 Is this the ev you wanted? [y/N] n
...To which, it's not unreasonable to expect any person to note that this person is "not_ev". It would be really sloppy to pull the trigger on this.
I would recommend personally clicking through all the Twitter/Github links to make sure they're not some carefully made impersonator account, but even doing the bare minimum (reading the output of "keybase track") should get you there.