Keybase patches bug that kept pictures in cleartext storage on Mac, Windows clients

Keybase has resolved a security flaw in the messaging client that preserved image content in the cache for cleartext viewing.

The security-focused end-to-end encrypted chat app, which was acquired by remote videoconferencing tool developer Zoom in May last year, contained a vulnerability that could have compromised private user data. 

Tracked as CVE-2021-23827, the bug is described as an issue which "allows an attacker to obtain potentially sensitive media (such as private pictures) in the cache and uploadtemps directories."

"It fails to effectively clear cached pictures, even after deletion via normal methodology within the client, or by utilizing the "Explode message/Explode now" functionality," the CVE description reads. 

Identified by John Jackson, the penetration tester and Sakura Samurai founder said in a blog post on Monday that Keybase clients before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, are impacted. 

Jackson examined the client and saw that inside the Keybase uploadtemps and cache directories, photos that had previously been pasted into conversations were available and were not encrypted. Even if a user had set the content to 'explode' or delete, the cache still contained residual image files as Keybase failed to adequately clear them. 

On Mac machines, all it took to recover this content was to view the directory, but on Windows, image file extensions would need to be changed to .png or .jpg. This does mean that the issue remains local; however, even local vulnerabilities need to be patched rapidly by services that promote themselves as privacy-centric. 

"An attacker that gains access to a victim machine can potentially obtain sensitive data through gathered photos, especially if the user utilizes Keybase frequently," Jackson said. "A user, believing that they are sending photos that can be cleared later, may not realize that occasionally pasted photos are not cleared from the cache and may send photos of credentials, etc, to friends or may even send other sensitive data. The photos then can be stored insecurely on a case-by-case basis."

The vulnerability was reported through Keybase's bug bounty program on HackerOne on January 9, 2021. A fix was issued on January 23 which resolved the bug and also cleared out all of the images on clients that should have been previously wiped. Public disclosure was held back until February 22 to give users time to apply the update and Jackson was awarded $1,000 for his report. 

Update 17.14 GMT: A Zoom spokesperson told ZDNet:

"Zoom takes privacy and security very seriously and appreciates vulnerability reports from researchers. We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux. Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates."

Previous and related coverage

• Chinese hackers cloned attack tool belonging to NSA's Equation Group
  
• Masslogger Trojan reinvented in quest to steal Outlook, Chrome credentials
  
• Stored XSS bug in Apple iCloud domain disclosed by bug bounty hunter
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0