“By isolating all of the extension’s user interface in an element, this would prevent both the website and other extensions from accessing it,” said Palant.īut, according to Palant, Keybase was less than concerned that their promise of end-to-end encryption did not extend to its browser extension feature, citing technical reasons for iframes not working, and that it wasn’t “worth a fix”. Isolating websites to their own process tends to be an easy resolver for security concerns, and one that was added to Chrome by default in July in order to prevent the spread of attacks like Spectre. “Have fun explaining how you didn’t do it, even though the messages were safely encrypted on your computer.” “So if hundreds of people complain about you sending them spam messages via Keybase, it might be somebody exploiting the Keybase extension on your computer via an XSS vulnerability in Reddit,” said Palant. “Facebook’s JavaScript code can read it out as you type it in, so much for end-to-end encryption.”Ĭoncerns with browser extensions have been wide-ranging, as lapses in security can result in third parties collecting user information for advertising, or even worse, in falling victim to exploited vulnerabilities found in the websites they are integrated with. “The Keybase message you enter on Facebook is by no means private,” said Palant, having reported the issue to Keybase’s bug bounty program earlier this week. While this allows users to strike up a conversation on any social media platform via Keybase, messages sent in such a way are not being encrypted, says Wladimir Palant, creator of the content-filtering tool Adblock Plus. This means that a user can send a Keybase message over Facebook, for example, by clicking on the chat button that appears on their profile after installing the browser extension. The plug-in, which is designed to facilitate secure and easy communication on social media platforms like Facebook, uses a third-party chat function to transfer messages back to the Keybase app. The browser extension for Keybase, an encrypted social messaging app, is failing to protect its users from malicious third-parties, a researcher has warned. Secure messaging app says ’it’s not worth a fix’
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |