Date and Event: On June 8, 2025, a minor security issue was found and reported in Lobsters. It has since been patched and was likely never exploited.

• Security Issue Details: Keybase allows proving control over other service accounts cryptographically. Lobsters used a function to check if a Keybase account controls a Lobsters account. The URL for this check is constructed manually via string concatenation, allowing for potential data injection.
• Exploitation Details: We can attach an existing Keybase proof for a different Lobsters account by adding specific query parameters. After the query string, we can inject a # to comment out the extra username parameter. We must also URL encode the parameters.
• Reporting and Resolution: Reported to Peter Bhat Harkins. He acknowledged it and discussed removing the Keybase integration as Keybase seemed inactive. Later, the integration was removed. If keeping Keybase functionality, proper escaping of strings in the API call could be a fix.
• Impact Assessment: To do something truly malicious, one would need a target Lobsters user with an associated Keybase account, a proof tying them, and our own Lobsters account. It's unclear what more could be achieved beyond spoofing the Keybase field on our profile, and having a constellation of other spoofed identity proofs seems unlikely.