Font flaw allowed Keybase copycats

Public key directory Keybase has fixed a dangerous and novel flaw in its service that allowed users to impersonate others on the site.

The website is a directory of publicly-auditable cryptographic public keys tied to unique usernames. Its goal was to make validation of identities easier by tieing in a users' PGP key with their personal websites and accounts on GitHub and Twitter.

But a recently-discovered flaw meant attackers could build profiles on the site to impersonate others, thanks to a specific font by Keybase which made characters such as a lowercase 'i' appear like a capital 'L'.

The simple flaw allowed a security researcher with LastPass to build fake accounts and imitate the site's co-founder Chris Coyne.

Attackers using this trick could fool users into emailing sensitive material to them instead of their intended recipient.

"Due to the font they chose, I could impersonate any user with a zero, capital 'O', lowercase 'l', or capital 'i' in their name ... I would also need to be able to register Twitter and GitHub [accounts] with the same name," researcher Evan Johnson said.

"I was able to almost perfectly impersonate the co-founder of the site."

Co-founder Maxwell Krohn responded quickly to what he described as a "pretty serious security bug" after Johnson posted the flaw to GitHub.

The fake profile using Coyne's Twitter handle

Coyne said usernames including Twitter and GitHub accounts in all instances on the site would be forced to be lowercase.

But Johnson said users could still be conned if attackers imitated the usernames of popular figures for Keybase.

He demonstrated the risk by taking the handle of Twitter founder Ev Williams (@ev) and using the same name to register the eponymous Keybase handle. The trick could be made more compelling by registering fake GitHub accounts in the victims' names.

"This isn't a technical problem...it is a people problem. Obviously it is the users job to not trust and verify, but what happens when the user falls into the trap of trust?"

Character flaws also tripped up Spotify in a flaw reported in June which allowed user accounts to be hijacked.

A user of the hugely popular music site reported that passwords could be reset for any account due to errors in the canonicalisation of usernames.

This meant for example that an attacker wanting to high jack a fictitious Spotify account called 'ITNEWS' could register a new account 'itnews', reset the password and gain access to the former account.

"Our forum manager challenged the user to take over his account, and within minutes the manager’s account had a new playlist added and a new password," Spotify engineer Mikael Goldmann said.

Goldmann warned that while limiting the alphabet to ASCII is unattractive, allowing international characters contained "plenty of pitfalls and gotchas" along with immature support for unicode by programming languages and libraries.