12/14/2023 0 Comments Keybase api send messageAnother alternative would be similar to how Twitter protects those with "protected tweets": If you want to follow someone who protects their tweets, it sends an approval request to the user. The simple solution here would be to give the user the opportunity to say 'I don't want to be messaged by people I'm not following or added to teams by them'. This is just a matter of time before this gets abused for spam, harassment, or malware. Just this morning I got another message from someone who I don't follow (but who follows me). Just ask any woman what happens when she opens her Twitter DMs to the world. Platforms like Twitter and Facebook give me the opportunity to not get messages from people I'm not connected to. In fact, there's an entire ecosystem around blocking unwanted messages, calls, or texts from other people. While yes, this is no different than email thread additions or unwanted SMS messages, but you don't see people calling those things a feature rather the opposite. For example, I can begin messaging any Keybase user right now with ads for Chinese Viagra or, even worse, an opportunity to check out this cool thing over at hxxp:// /hostile.js. The idea that it’s up to the user being messaged to leave the conversation or team puts the onus on the wrong participant. Currently any user of Keybase can follow any other user and begin messaging them without consent. I'm going to disagree with you somewhat on this. Thank you for taking the time to get back to me. My final reply to Chris on November 13th:.We’re constantly revisiting this and we might also add an advanced setting that lets users specify rules around themselves getting invited/added to convos. We’re actually rolling out shortly some newer/better tools around dealing with this, so it will be very obvious to you that you can choose not to be in the team upon being added….and it will therefore feel a bit more like an invitation. We currently see team additions as analogous to email thread additions or phone messaging - lowering the friction makes for easier/healthier group forming, and if you’re not interested you can jump out. Hi Dave - thanks for reaching out in a responsible way with what you see as a security issue. The reply I received from Chris Coyne on November 13th (Highlighting by me):.I love the platform and find it invaluable. Then maybe have an option of allowing those you follow to be able to do so, and as a final option let anyone add you to a team (but make sure folks know this isn't recommended).Īnyways I wanted to report this to you. Ideally the default behavior should be that no one can add you to a team without your consent. This can result in a spam or harassment vector (hence why I'm reluctant to post it on the open forum). This really shouldn't be default behavior. I had a random guy I don't follow add me to a team and start messaging me about cryptocurrency stuff *. Currently any user that follows you can add you to a team without any kind of request to the user. It's not a serious security bug, but I'm leery of posting the issue to the public forum for fear of exacerbating the issue. This was originally messaged to them in a Keybase chat on November 9th and again delivered by encrypted email on November 13th: Initial communication from myself to Chris and Max.November 21st, 2019 – Following Google Security’s guidelines for issues being actively exploited in the wild, I chose to release this information 7 days after I last heard from Keybase.November 20th, 2019 – A Keybase user provided me with a screenshot demonstrating that they are also experiencing this issue. This elicited a response to me from Max via the initial group chat I created on November 9th, 2019 November 15th, 2019 – I made a post on Twitter about disclosing the issue publicly.There has been no further communication from Chris at the time of this writing I replied reiterating my concerns and providing possible remediation steps. November 13th, 2019 – Chris replied to me suggesting that this was intended functionality.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |