Improper Verification of Cryptographic Signature
CVE-2019-16992
Summary
The Keybase app 2.13.2 for iOS provides potentially insufficient notice that it is employing a user's private key to sign a certain cryptocurrency attestation (that an address at keybase.io can be used for Stellar payments to the user), which might be incompatible with a user's personal position on the semantics of an attestation.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-347 - Improper Verification of Cryptographic Signature
A cryptographic protocol is meant to ensure that services are provided in a secure manner. An application with absent or improper verification of cryptographic signatures allows malicious users to feed false messages to valid users or to disclose sensitive data, subverting the goals of the protocol. This can lead to security failures such as false authentication, account hijacking, and privilege escalation.
References
Advisory Timeline
- Published