The browser extension for the Keybase app fails to keep the end-to-end encryption promise from its desktop variant.
Keybase is a communication and collaboration application focused primarily on securing the traffic from source to destination through public-key cryptography.
The extension adds a "Keybase Chat" button into profiles pages for Facebook, Twitter, GitHub, Reddit, and Hacker News. Clicking on the button opens a chat window where users can type their message.
"When you compose your text and 'send' it, the extension passes it to your local copy of Keybase, which encrypts the message and sends it through Keybase chat," informs the FAQ section for the Keybase Chrome and Firefox extension.
And herein lies the issue signaled by Palant: messages are not encrypted until they reach the desktop app; Keybase injects its button into web pages, but it does not isolate itself from them.
Palant offers a recommendation for fixing this issue, and that is by using an iframe.
Keybase's response to the developer's suggestion was that technical reasons obstructed insulation through Frames.
Palant's recommendation is to uninstall Keybase browser extension as soon as possible. You should heed to this especially if you're using Keybase for sensitive communication.