Images Deleted on ‘Keybase’ Chat Are Still Retrievable
- Keybase was vulnerable to a local attack that could expose supposedly deleted images.
- The app was deleting the files from the chat but kept them locally stored in unencrypted form.
- The bug was fixed last month, so users are recommended to update immediately.
Keybase is one of our recommended encrypted communication solutions, rich in features and strong when it comes to user privacy and security. However, a recent finding proves that no software is absolutely perfect, safe, and free of bugs that could potentially compromise its users’ privacy.
As discovered by John Jackson and his team of researchers (Sakura Samurai), Keybase was plagued by a flaw that carries the identifier “CVE-2021-23827,” which concerns storing cleartext pictures in the app’s cache. This applies to all Keybase desktop versions on all three OS platforms (Win, Mac, Linux).
Normally, when a user deletes a picture or has set the “explode” functionality (time-based deletion), the images should be wiped from Keybase. While the app’s interface shows them as deleted, there’s no action taking place on the local cache and also the uploadtemps directories.
Hence, the images remain available there and in “cleartext” form. Also, the uploadtemps folder should be kept alive on the local storage only for as long as the image uploading action lasts, but it’s not getting immediately wiped due to a bug.
Thus, if an attacker manages to establish local access onto the user’s machine, they could potentially access files that have supposedly been securely erased on Keybase. This is very bad, especially for users who have picked Keybase specifically to stay safe from authoritarian regimes. These users may have their devices seized by the police for analysis so that the “physical access” part wouldn’t be far-fetched for a significant portion of Keybase’s userbase.
The discovery of the flaws came thanks to Zoom's bug bounty hunting program when it acquired the project back in May 2020. Thus, CVE-2020-23827 has already been reported to the firm and subsequently fixed with the release of Keybase 5.6.0 for Windows and Keybase 5.6.1 for macOS and Linux. If you are using an earlier version, make sure to update your Keybase client immediately. The patched releases came out on January 23, 2021, so it’s been a full month already.
The bug bounty received by the Sakura Samurai team for this finding was $1,000, while the hacking group commented that Zoom was very responsive to their reports. This is a positive indication of how Zoom is treating Keybase following its acquisition and a step to attenuate the worries that the community had concerning the real intentions of the video conference company.