Keybase is notifying Android users of a bug in its mobile app that might have unintentionally included the users' private key —used to encrypt conversations and other private data— into the automatic backups created by the Android OS and uploaded on Google's servers.
Keybase, which is a company that provides a wide range of identity proofing and encrypted communication tools, says it fixed the bug and has sent notification emails to users it believes are affected by this issue.
The emails contain instructions on how users could force their device to generate a new private encryption key.
Keybase uses this private key as part of a private-public key pair system to verify a user's identity and encrypt conversations sent through the Keybase chat system from that device.
According to an email seen by Bleeping Computer, the issue appears to affect only "early adopters" of the Keybase Android app.
Keybase estimates that around 10% of Keybase Android app users are affected by this bug. On its website, the company boasts to service over 205,000 users; albeit is unclear how many of these also use its Android app.
Keybase said that users who back up their Android device through Google Play and users who reused passwords from other accounts or used a weak passphrase are affected.
As Keybase points out, this isn't a serious issue unless users are really bad at choosing passwords. An attacker would first need access to a user's Google account (to extract the Android backup files), and then the Keybase passphrase (to decrypt the private key). Nonetheless, we've seen many cases of bad password practices in the past to rule out possible attacks on Keybase accounts.
Keybase works by allowing users to register a Keybase account and use it as a central hub to verify profiles on other online sites and verify devices the user owns.
An attacker may obtain a user's Keybase account password (passphrase), but he won't be able to impersonate that user in Keybase-encrypted chats and private PGP-protected messages unless he sends those messages from verified devices.
The bug Keybase just fixed allows an attacker to obtain the private key and impersonate the user's Android smartphone. This is why it is important that users secure devices, even if there's a little possibility they were affected.
Keybase has included the following instructions in the email to possibly affected users. Users who received the email should update their Keybase app and go through the following steps to create new private keys. The old backups can be left alone, as the private key contained within won't work anymore.
Despite this issue, users shouldn't be deterred from using Keybase, which is currently the only service that provides support for end-to-end encrypting Git operations, Reddit and Twitter private messages.