in Backdoor, Keybase

Keybase iOS Has a Backdoor, Hacker News

1.8k Views


Keybase’s iOS client has received a backdoor.

It seems that Stellar, the extremely well-funded and well-marketed cryptocurrency, has struck a deal with Keybase to “airdrop” (give away) their tokens to keybase users in an effort to drive adoption.

Keybase updated their iOS client to sign an attestation, as a user, that a given stellar address belongs to them, even if it does not. This is done without any user interaction or consent, violating the fundamental principle of Keybase’s product until now: the user controls their keys.

Of course, the user controls their keys using Keybase’s software, which, under normal circumstances, means the user controls their keys. But in this instance, Keybase’s software decided to sign, for a user, without their knowledge or consent, an attestation saying thatusername * keybase.iois a legitimate stellar payment address for the user — even if the user has never heard of it.

Here’s mine. Note:DO NOTsend payments to this address! I don’t have the keys for this address, don’t control this address, and don’t want any XLM shitcoins even if I did – despite what Keybase’s client has claimed with my private keys.

There is no option to remove this payment address frommy Keybase profile, turning my Keybase profile page into an ad for a shitcoin, using my name, face, and identity as an implicit endorsement for Stellar. This is rude and unethical.

Keybase, I understand that you have no good revenue model. I know that good software costs money. I don’t have an alternative for you, but if selling out your users and violating their trust and consent (and, by extension, fraudulently claiming that published cryptocurrency addresses represent payment addresses for your users) is the best you can think of, then perhaps you should give up and stop existing as a concern.

I have filed thisas a bug, although I doubt it will be addressed sufficiently, as this is intentional behavior on the part of Keybase, who have hopefully been well-paid by Stellar for entirely undermining their tool’s trust.

Brave Browser
Read More
Payeer

What do you think?

0 Points
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Ole Gunnar Solskjaer: Manchester United want a new striker – but they must be right for the club – Sky Sports, Skysports.com

Ole Gunnar Solskjaer: Manchester United want a new striker – but they must be right for the club – Sky Sports, Skysports.com
Preview: Unmatched, a deck-battling game where Bruce Lee can fight King Arthur, Ars Technica

Preview: Unmatched, a deck-battling game where Bruce Lee can fight King Arthur, Ars Technica