By continuing to use the site or Forum, you agree to the use of cookies, find out more by reading our GDPR policy.

The browser extension for the Keybase app fails to keep the end-to-end encryption promise from its desktop variant. Keybase is a communication and collaboration application focused primarily on securing the traffic from source to destination through public-key cryptography. Wladimir Palant, the maker of popular AdBlock Plus content filtering tool, looked at how the web extension for Keybase works and noticed that the messages it sends are exposed to third-party JavaScript code. The extension adds a "Keybase Chat" button into profiles pages for Facebook, Twitter, GitHub, Reddit, and Hacker News. Clicking on the button opens a chat window where users can type their message. "When you compose your text and 'send' it, the extension passes it to your local copy of Keybase, which encrypts the message and sends it through Keybase chat," informs the FAQ section for the Keybase Chrome and Firefox extension. And herein lies the issue signaled by Palant: messages are not encrypted until they reach the desktop app; Keybase injects its button into web pages, but it does not isolate itself from them. "So the first consequence is: the Keybase message you enter on Facebook is by no means private. Facebook’s JavaScript code can read it out as you type it in, so much for end-to-end encryption," Palant explains. Check it out at OUR FORUM.