CVE-2021-34422 Path traversal of file names in Keybase Client for Windows

The Keybase Client for Windows before version 5.7.0 contains a path traversal vulnerability when checking the name of a file uploaded to a team folder. A malicious user could upload a file to a shared folder with a specially crafted file name which could allow a user to execute an application whi...

CVE-2021-34422

The CVE-2021-34422 issue affects the Keybase Client for Windows prior to version 5.7.0, where a path traversal vulnerability exists in the file-name check when uploading to a team folder. A crafted filename in a shared/public folder could enable remote code execution on the host. Affected product...

Keybase 路径遍历漏洞

Keybase is a PGP technology-based social networking platform that supports end-to-end encryption.Keybase Client for Windows prior to version 5.7.0 is vulnerable to a path traversal vulnerability that stems from a networked system or product failing to properly filter special elements in a resourc...

Keybase 信息泄露漏洞

Keybase is a social networking platform based on PGP technology that supports end-to-end encryption.An information disclosure vulnerability exists in Keybase Client for Android before version 5.8.0 and Keybase Client for iOS before version 5.8.0, which stems from the client's inability to properl...

Deleted Keybase chat images retrievable on Windows, macOS, Linux

By Waqas Keybase is owned by Zoom and currently has almost half a million privacy-focused users. Here's how it kept chat images that were retrievable. This is a post from HackRead.com Read the original post: Deleted Keybase chat images retrievable on Windows, macOS, Linux...

CVE-2021-23827

Keybase Desktop Client before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, allows an attacker to obtain potentially sensitive media such as private pictures in the Cache and uploadtemps directories. It fails to effectively clear cached pictures, even after deletion via normal methodolog...

CVE-2021-23827

Keybase Desktop Client before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, allows an attacker to obtain potentially sensitive media such as private pictures in the Cache and uploadtemps directories. It fails to effectively clear cached pictures, even after deletion via normal methodolog...

Design/Logic Flaw

Keybase Desktop Client before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, allows an attacker to obtain potentially sensitive media such as private pictures in the Cache and uploadtemps directories. It fails to effectively clear cached pictures, even after deletion via normal methodolog...

CVE-2021-23827

Keybase Desktop Client before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, allows an attacker to obtain potentially sensitive media such as private pictures in the Cache and uploadtemps directories. It fails to effectively clear cached pictures, even after deletion via normal methodolog...

CVE-2021-23827

CVE-2021-23827 affects Keybase Desktop Client on Windows/macOS < 5.6.0 and Linux

Keybase Desktop Client Security Vulnerability

Keybase is a social networking platform that supports end-to-end encryption based on PGP technology. A security vulnerability exists in the Keybase Desktop Client before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, which allows an attacker to obtain potentially sensitive media in the...

North Korea Targets Security Researchers in Elaborate 0-Day Campaign

Hackers linked to North Korea are targeting security researchers with an elaborate social-engineering campaign that sets up trusted relationships with them — and then infects their organizations’ systems with custom backdoor malware. That’s according to Google’s Threat Analysis Group TAG, which...

Keybase: Keybase /AppData/Local/Keybase/uploadtemps folder stores pasted photos

During research, I had noticed that Keybase does not adequately clear the cache and some residual files can be viewed, with no form of encryption on the files. In addition, these pasted photos remain even after clearing the containing chat. Not all of the pasted photos remain, so it's unclear wha...

Internet Bug Bounty: Uncovering file quarantine and UX security issues in macOS apps ( .terminal, .fileloc and .url)

Slides : https://docs.google.com/presentation/d/19WeQbqcOKnrSv1I3Z4sm-oNAf6IVzHwRyQP4i9BvY/editslide=id.g758ad3e04223231 See Blogpost for more details - https://medium.com/@metnew/exploiting-popular-macos-apps-with-a-single-terminal-file-f6c2efdfedaa Summary Popular macOS apps with a file-sharing...

Zoom Security Gets a Boost With Keybase Acquisition

Plus: A GoDaddy breach, a ransomware attack, and more of the week's top security news...

Zoom Beefs Up End-to-End Encryption to Thwart 'Zoombombers'

Video calling platform Zoom is boosting its security profile via the acquisition of a small startup called Keybase. The 25-person, New York-based company will provide more robust encryption for Zoom calls on paid subscriptions by implementing an end-to-end architecture. “Logged-in users will...

Why Keybase Doesn't Offer Two Factor Authentication

Keybase exists to keep things safe online. And it doesn't use 2FA to do it...

Keybase: Keybase client (Windows 10): Write files anywhere in userland using relative path in "download attachement" feature

Summary I've tested this vulnerability on Windows 10, with last keybase client. If a user click on "Download file" during a chat, an attacker can write files anywhere in userland. When downloading a file from a chat, the file should always be written in "Downloads" folder. Proof of concept You ne...

CVE-2019-16992

The Keybase app 2.13.2 for iOS provides potentially insufficient notice that it is employing a user's private key to sign a certain cryptocurrency attestation that an address at keybase.io can be used for Stellar payments to the user, which might be incompatible with a user's personal position on...

CVE-2019-16992

The Keybase app 2.13.2 for iOS provides potentially insufficient notice that it is employing a user's private key to sign a certain cryptocurrency attestation that an address at keybase.io can be used for Stellar payments to the user, which might be incompatible with a user's personal position on...