Keybase is a popular collaboration tool used to encrypt messages from the sender to the recipient. The service also offers a browser extension that adds a 'Keybase Chat' button to the profile pages on social networking sites such as Facebook, Twitter, and Reddit. According to the FAQ section of the Chrome and Firefox Keybase addon, it works by sending the data to the locally installed desktop client, which then encrypts the message before sending it through the chat. Apparently, not all is well with the Keybase browser addon.
Developer of the popular AdBlock Plus extension, Wladimir Palant, decided to take a look at how the Keybase extension works and to his surprise, found that before the input text actually reaches the desktop client for encryption, it can be intercepted by third-party JavaScript code. For example, if you are entering text into a Facebook page even with the Keybase extension turned on, Facebook's JavaScript code can very well interpret the text as you type. This means, although Keybase Chat shows up on the webpage, it does not isolate the inputted text.
This defeats the whole purpose of having an end-to-end encryption in the first place. According to Palant, using an iframe in the webpage should be able to isolate the extension from the webpage and other installed extensions. But Keybase apparently is not interested in Palant's suggestion and simply gave a nonchalant reply stating that there are issues in getting iframes to work.
Palant advises all those who use the Keybase extension to uninstall it at the earliest. While the actual desktop client itself might walk the talk, users should still be wary while sharing sensitive information.
What do you think about the flaw in Keybase's browser extension? Let us know in the comments below. Also, to get instant tech updates, follow TechNadu’s Facebook page, and Twitter handle.