Friday, November 22, 2019

Keybase, we've got a privacy problem

What is Keybase? 

Keybase (keybase.io) is a platform designed to help users send and receive encrypted communications as well as securely store files and collaborate with others in “teams”. Keybase also allows users to attest to ownership of other accounts on sites such as Github, Twitter, Mastadon, personal websites, as well as validating cryptocurrency addresses. Keybase was founded by Chris Coyne and Max Krohn.

Note: Updates to this issue are now being included at the bottom the the post

What is the issue? 

Keybase currently lacks controls to allow the user to control how others interact with them. These lack of controls means that anyone who follows you (an event you cannot control) can begin messaging you or adding you to “teams” on Keybase without your consent. 
The end user, as of this writing, cannot opt-out of this functionality

This control gap is currently being exploited in the wild

Impact of the issue

The impact of this issue can range from annoying to dangerous. By preventing the user from being able to control who follows them on Keybase, any user can follow you and begin sending you messages or adding you to teams. This can lead to issues such as:
  • Stalking and harassment
  • Spam
  • Malware delivery
Proof of Concept 
Methodology

To accurately demonstrate this issue I have taken the following steps on a newly installed Windows 10 VM:
  • Create a new Gmail account for a user none of my participants have ever seen before
  • Create a new Twitter account for a user none of my participants have ever seen before
  • Create a new Keybase account for a user none of my participants have ever seen before
  • Validate the Twitter account created for this demo with my Keybase account created for this demo
  • Follow several users on Keybase
  • Add those users to a team they are not currently a part of and begin sending them unsolicited messages
Note: All participants in this are willing volunteers who have been told they are participating in a Proof of Concept demonstration. I am merely demonstrating that I could be doing this to truly random people 

Execution

Step 1: “Raoul Duke” created a Keybase account 

Keybase Account for "Raoul Duke" my test account

Step 2: “Raoul Duke” followed several people, created a team, and then added those folks to the team

Image showing a team being created by "Raoul" and several unwitting users being added to it
 
Step 3: “Raoul Duke” begins to message these users without their consent advertising crypto currency. I was also interested to see if there was any URL filtering happening on Keybase so the second link went to a site hosting a malware command and control portal. I blurred the link for obvious reasons 

"Raoul" advertising crypto currency to users who have not consented to be added to his team. This is spam

Timeline
  • November 9th, 2019 – I became aware of this issue when a random user added myself and others to a team and began discussing cryptocurrency
  • November 9th, 2019 – I looked up the bug submission process and was instructed to contact “Chris” and “Max” via encrypted email. Their keys were provided, but no email addressed were listed. I instead began a Keybase chat with Chris and Max, but received no response
  • November 13th, 2019 – I received yet another unsolicited chat from a user who follows me, but I myself do not follow
  • November 13th, 2019 – I took a guess and emailed chris@keybase.io and max@keybase.io. I heard back from Chris within a few hours, but would not hear back from Max until I made reference to publishing my writeup of this issue on Twitter
  • November 13th, 2019 – Chris replied to me suggesting that this was intended functionality. I replied reiterating my concerns and providing possible remediation steps. There has been no further communication from Chris at the time of this writing
  • November 15th, 2019 – I made a post on Twitter about disclosing the issue publicly. This elicited a response to me from Max via the initial group chat I created on November 9th, 2019
  • November 20th, 2019 – A Keybase user provided me with a screenshot demonstrating that they are also experiencing this issue
  • November 21st, 2019 – Following Google Security’s guidelines for issues being actively exploited in the wild, I chose to release this information 7 days after I last heard from Keybase
Communications
  • Initial communication from myself to Chris and Max. This was originally messaged to them in a Keybase chat on November 9th and again delivered by encrypted email on November 13th:
Hey guys,

I've got something to report. It's not a serious security bug, but I'm leery of posting the issue to the public forum for fear of exacerbating the issue. Currently any user that follows you can add you to a team without any kind of request to the user. I had a random guy I don't follow add me to a team and start messaging me about cryptocurrency stuff*. This really shouldn't be default behavior. This can result in a spam or harassment vector (hence why I'm reluctant to post it on the open forum). Ideally the default behavior should be that no one can add you to a team without your consent. Then maybe have an option of allowing those you follow to be able to do so, and as a final option let anyone add you to a team (but make sure folks know this isn't recommended).

Anyways I wanted to report this to you. Keep up the great work. I love the platform and find it invaluable.

- noid
 *[Note to the reader. The event described here was a separate event from my PoC. This event happened on November 9th and was a truly unsolicited team addition. My PoC event occurred on November 16th]
  • The reply I received from Chris Coyne on November 13th (Highlighting by me):
Hi Dave - thanks for reaching out in a responsible way with what you see as a security issue.  
We currently see team additions as analogous to email thread additions or phone messaging — lowering the friction makes for easier/healthier group forming, and if you’re not interested you can jump out. We’re actually rolling out shortly some newer/better tools around dealing with this, so it will be very obvious to you that you can choose not to be in the team upon being added….and it will therefore feel a bit more like an invitation.

We’re constantly revisiting this and we might also add an advanced setting that lets users specify rules around themselves getting invited/added to convos.
  • On November 13th I again received unsolicited messages from a random Keybase user who follows me, but I do not follow back:

Random message from a Keybase user who follows me, but I do not follow

  • My final reply to Chris on November 13th:
Chris,

Thank you for taking the time to get back to me. I'm going to disagree with you somewhat on this. Currently any user of Keybase can follow any other user and begin messaging them without consent. The idea that it’s up to the user being messaged to leave the conversation or team puts the onus on the wrong participant. For example, I can begin messaging any Keybase user right now with ads for Chinese Viagra or, even worse, an opportunity to check out this cool thing over at hxxp://somemalwaresite.com/hostile.js.

While yes, this is no different than email thread additions or unwanted SMS messages, but you don't see people calling those things a feature; rather the opposite. In fact, there's an entire ecosystem around blocking unwanted messages, calls, or texts from other people. Platforms like Twitter and Facebook give me the opportunity to not get messages from people I'm not connected to. Just ask any woman what happens when she opens her Twitter DMs to the world. That's currently what's at play here.

Just this morning I got another message from someone who I don't follow (but who follows me). This is just a matter of time before this gets abused for spam, harassment, or malware. The simple solution here would be to give the user the opportunity to say 'I don't want to be messaged by people I'm not following or added to teams by them'. Another alternative would be similar to how Twitter protects those with "protected tweets": If you want to follow someone who protects their tweets, it sends an approval request to the user. So on Keybase I can either say "I can choose who follows me and anyone I approve may message me or add me to a team" or "Anyone can follow me, but you can't message me or add me to a team unless I follow you back". Of course you could always leave the user the option of "Anyone can hit me up any time" as well. However, that shouldn't be the default (and currently only) option.

I've not looked into the Keybase API just yet, but I'd be willing to bet I could exploit at least part of this programmatically.
  • On November 16th, Max responded to the initial chat after a posting I made on Twitter about disclosing the issue: 


  • On November 20th a Keybase user provided me a screenshot of an unsolicited conversation from someone effectively panhandling for crypto currency: 


Issue Remediation

As discussed in my email, the fix to this is pretty straight forward. Give the users some options:
  • No one can message me or add me to a team
  • Only people I follow can message me or add me to a team
  • Anyone can message me or add me to a team
Guidance for Keybase Users

The crux of this issue is that the Keybase user currently lacks controls to alter or block this behavior. However, I would like to provide some guidance on how to identify this behavior:
  • If you are receiving unsolicited 1:1 chat messages you cannot leave the chat, you can only mute the notifications. However, if you click on the user’s profile you do have the option to block the user
  • If you have been joined to a team or group message without your consent you can leave the team by selecting the “gear” icon and choosing “Leave Team”. From there you can view the profile of the user who added you and block them there
    • Note: If you leave a team, members of that team can add you right back to the team. There is no mechanism to stop this. If you block the person who added you to the team, they obviously can't add you back, but others in the team can. 
  • Finally, and probably the best corrective action you can take, would be to mail Chris Coyne (chris@keybase.io) and ask him to provide Keybase users with controls that allow them to change how users interact with each other. Alternately you can hit up Chris and Max on Twitter. Baring that, you could always take advantage of this control gap and contact Chris or Max directly on Keybase or add them to a team to discuss this matter. Good user experience (UX) design for an online collaboration and messaging platform puts control of who contacts you and how they can contact you into the hands of the end user
Conclusion

I’m disappointed in Keybase’s response to this issue, given the nature of their platform. Keybase bills itself as a place to collaborate for friends, families, communities, schools, etc. Unfortunately, this issue opens those users up to online harassment, spam, and potential compromise. In short, until sufficient controls are put into place to protect its users, Keybase is not a safe place despite the fact that everything is encrypted. I can only hope that this disclosure pushes Keybase to implement strong controls to the end user that will allow them to control who they interact with and how they interact with them. 

Acknowledgements 

I would like to thank several people who contributed to this work: 

Christopher Hultin, Nate Campbell, Robert Hoffmann, Lucky225, and Marc Rogers

Updates

Since going live with this blog post there's been a number of new developments. The biggest being a blog post from Keybase themselves on December 4th, 2019:

While ultimately this is the right course of action to take. Myself and others are disappointed that they still don't seem to be getting the crux of the issue. This is more than just spam, this is about harassment and user privacy. For example:
On December 3rd, 2019 Keybase and the Chaos of Crypto talks about this as well
On December 5th, 2019 The Register published a story about this issue
On December 6th, 2019 ArsTechnica published a story about this issue
On December 6th, 2019 Slashdot also discussed this issue
On December 12th, 2019 The Register issued a follow up story about this issue