It may sound difficult, but it’s actually a very trivial process. Git will accept any name and email address as the commit author and so will GitHub. So if you set the author on the commit to be a valid email address, it will look like they made the commit. This is due to the distributed nature of Git, which allows anyone to push anyone else’s commits around. However, from a security point of view, it’s a problem. Unfortunately, there isn’t a way to stop someone from spoofing a commit with your name and email. However, Git does support cryptographically signing commits using a GPG key. This allows GitHub to mark your commits as Verified when it can match your verified email to your GPG key.
This won’t stop someone trying to spoof your commits, but it will provide assurance of your real commits so they can be properly verified. GitHub provides a settings page for setting your GPG key, however if you upload your raw GPG key from Keybase, it will likely contain a Keybase user reference. This isn’t a live email address and therefore GitHub will be unable to verify it. It also won’t match the email address in your commits. As a result, we need to do a few more things to get everything working. I tried looking through the Keybase options, but couldn’t find any default way to modify the key and add email addresses. This seems like an oversight to me, but my understanding of this is limited, so there may be a good reason. Ultimately, I needed to export my key from Keybase into GPG so I could modify it directly. It turns out that Git needed it in there anyway, so it all works out nicely. Keybase is owned by Zoom and currently has almost half a million privacy-focused users.Updating the GPG keyīefore you begin, I’m assuming you have Keybase installed and working via command line, and you have a GPG key already in your Keybase account. John Jackson and researchers at Sakura Samurai including Aubrey Cottle, Jackson Henry, and Robert Willis have identified a critical vulnerability in the Keybase app that puts the privacy of Windows, macOS, and Linux users at risk. The app is regarded as one of the best for encrypted communication. This feature-rich app offers comprehensive privacy and security. However, Jackson reported in the company’s latest report that the bug could compromise Keybase users’ privacy. Bug Affects Keybase App’s Picture Storing MechanismĪccording to Jackson and his team, the bug carries the identifier CVE-2021-23827. It impacts the app’s cleartext image storing cache and is found in all desktop versions of the app across all platforms, including Windows, Mac, and Linux. In the Keybase app, under normal circumstances, after deleting a picture or enabling the explode feature, which activates time-based deletion of images, the pictures are expected to be wiped from the app’s cache. However, despite showing them as deleted, the pictures were neither removed on the local cache nor from the “uploadtemps” directories due to the bug. This means the images were still retrievable in cleartext format.Īccording to a blog post published by researchers, the bug also prevents the “uploadtemps” folder from getting immediately wiped, as it usually happens. Recovered and unencrypted image on WindowsImage: John J Hacking Typically, the folder remains alive on the local storage until the image uploading action lasts. If an attacker can establish local access on the device, they can easily access files, which the user believes have been deleted on Keybase. This could be detrimental for privacy-focused users as the primary reason they picked up Keybase is to keep their data secure from authoritarian regimes. The flaw in Keybase was identified during Zoom’s bug-hunting program after it acquired the project in May 2020.
#Flaws keybase app kept chat images windows#
The flaw was reported to Zoom and fixed in Keybase 5.6.0 for Windows and Keybase 5.6.1 for macOS and Linux.
#Flaws keybase app kept chat images update#
The patches were released on 23 January 2021, so if you are still using the old version, immediately update your Keybase client. Flaws in deleted keybase kept chat update# For discovering this flaw, the Sakura Samurai team received a $1,000 bug bounty. “Zoom takes privacy and security very seriously and appreciates vulnerability reports from researchers. We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux,” Zoom’s spokesperson told. Flaws in deleted keybase kept chat windows#įlaws in deleted keybase kept chat windows#.Flaws in deleted keybase kept chat update#.
0 kommentar(er)
