Keybase: Privilege Escalation via Keybase Helper (incomplete security fix)

In the previous report, about the privileged helper lacks of validation so any applications can abuse it to gain root privilege. But the security fix is incomplete. I can describe 3 different ways to bypass possibly 4, I doubt. All the poc are simplified to not sending the actual attack payload,...

KeyBase Botnet 1.5 - SQL Injection

KeyBase Botnet 1.5 - SQL Injection Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability Google Dork: intitle:"KeyBase: Login" + intext:" Login to get access to your logs " Date: 3/12/2018 Exploit Author: n4pst3r Vendor Homepage: unkn0wn Software Link: unkn0wn Version: v1.5 Tested on:...

KeyBase Botnet 1.5 SQL Injection

Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability Google Dork: intitle:"KeyBase: Login" + intext:" Login to get access to your logs " Date: 3/12/2018 Exploit Author: n4pst3r Vendor Homepage: unkn0wn Software Link: unkn0wn Version: v1.5 Tested on: Windows 10, debian 7 CVE : n/a...

KeyBase Botnet 1.5 - SQL Injection

Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability Google Dork: intitle:"KeyBase: Login" + intext:" Login to get access to your logs " Date: 3/12/2018 Exploit Author: n4pst3r Vendor Homepage: unkn0wn Software Link: unkn0wn Version: v1.5 Tested on: Windows 10, debian 7 CVE : n/a...

KeyBase Botnet v1.5 - SQL Injection Vulnerability

Exploit for php platform in category web applications Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability Google Dork: intitle:"KeyBase: Login" + intext:" Login to get access to your logs " Date: 3/12/2018 Exploit Author: n4pst3r Vendor Homepage: unkn0wn Software Link: unkn0wn Versio...

Keybase: Keybase client: downloaded executables lack "com.apple.quarantine" meta-attribute [macOS]

Summary 1. Missing quarantine attribute for downloaded files allows remote attacker to send executable file that won't be checked by Gatekeeper codesign bypass. 2. Since sent executable files lack com.apple.quarantine meta-attribute, no alert about launching executable file from the web will be...

Keybase: Linux privilege escalation via trusted $PATH in keybase-redirector

keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root. Environment CentOS Linux...

Keybase keybase-redirector - '$PATH' Local Privilege Escalation

keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root. Environment CentOS Linux...

Keybase keybase-redirector - $PATH Local Privilege Escalation

Keybase keybase-redirector - $PATH Local Privilege Escalation keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executin...

Keybase: Privilege Escalation via Keybase Helper

A privilege escalation vulnerability exists within the KeybaseHelper application available when installing the Keybase Desktop Application on MacOS. The issue is exposed via a LaunchDaemon plist which is installed within /Library/LaunchDaemons/keybase.Helper.plist. This file is responsible for...

Keybase: Fix bypass of different processing of usernames on Hackernews

Description In report https://hackerone.com/reports/307670 the reported identified a flow which abuses parsing differences between Keybase and Hackernews. Also the original reports is resolved there appears to be a bypass having the same impact by abusing upper-case letters. Steps to reproduce 1...

Keybase: Claiming ownership of GitHub handles via forked GitHub gists.

Description An attacker can claim ownership of a GitHub user's handle if the user forks the attacker's gist with a verification snippet generated by the attacker pointing towards the user's handle. PoC With my colleague's permission @jackds I claimed their GitHub handle with this gist:...

Keybase: Keybase extension hostname-validation regular expression issue.

Description The following snippet in js/identities.js allows all hostnames ending in twitter.com, facebook.com, etc. to display the Keybase message window. The issue stems from the fact that you use . instead of \. in your regular expression. js service: "twitter", getUsername: functionloc return...

Keybase: Difference in query string parameter processing between Hacker News and Keybase Chrome extension spawns chat to incorrect user

Hello! When using the Keybase Chrome extension and viewing a Hacker News profile page with an additional id parameter in the query string, Hacker News uses the username from the first id parameter, whereas the Keybase extension uses the username from the second id parameter. Example URL:...

Insecure Cryptography

github.com/keybase/client uses insecure cryptographic measures when hiding URLs. If an attacker knows what the hash of a link is, they will be able to figure out the hidden data...

Keybase: Persistent XSS on keybase.io via "payload" field in `/user/sigchain_signature.toffee` template

Issue Keybase allows you to see other users' sigchains by navigating to /sigchain. The "Payload" field containing JSON related to the chainlink on the right side of the page is not correctly escaped during templating, leading to a persistent XSS as users have a high degree of control over the...

Downgrade Attack

github.com/keybase/client is vulnerable to downgrade attack. This attack is possible because the library does not validate the version signature prefixes...

Keybase: Universal Cross-Site Scripting in Keybase Chrome extension

Description The Keybase Chrome extension makes heavy use of the insecure innerHTML DOM API, resulting in Universal Cross-Site Scripting on all Keybase-supported social networking websites. Steps to reproduce the issue 1. Install the Keybase Chrome extension 2. Navigate to the following URL addres...

Keybase - Customized SSL, Dangerous filesystem permissions, Redefined SSL Common Names verifier vulnerabilities

HackApp vulnerability scanner discovered that application Keybase published at the 'play' market has multiple vulnerabilities...

Keybase Extension Brings End-to-End Encrypted Chat To Twitter, Reddit, GitHub

A recently released Chrome extension, developed by the public key crypto database Keybase, brought end-to-end encrypted messaging to several apps this week. Keybase, a service that allows users to identify themselves with a public encryption key, introduced its end-to-end encrypted chat feature...