Mime with your email secrets? You might want to rethink that

2020-08-19 07:03

Boffins testing the security of OpenPGP and S/MIME, two end-to-end encryption schemes for email, recently found multiple vulnerabilities in the way email client software deals with certificates and key exchange mechanisms.

In a paper [PDF] titled "Mailto: Me Your Secrets. On Bugs and Features in Email End-to-End Encryption," presented earlier this summer at the virtual IEEE Conference on Communications and Network Security, Jens Müller, Marcus Brinkmann, and Joerg Schwenk and Damian Poddebniak and Sebastian Schinzel reveal how they were able to conduct key replacement, MITM decryption, and key exfiltration attacks on various email clients.

"First, we present a design flaw in the key update mechanism, allowing a third party to deploy a new key to the communication partners. Second, we show how email clients can be tricked into acting as an oracle for decryption or signing by exploiting their functionality to auto-save drafts. Third, we demonstrate how to exfiltrate the private key, based on proprietary mailto parameters implemented by various email clients."

Which will automatically attach your secret GnuPG key data, if your email client is vulnerable.

It allowed a website to present a link with the "Mailto?attach=..." parameter to force Thunderbird to attach local files, like an SSH private key, to an outgoing message, as described above.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/08/19/openpgp_smime_flaws/

#email #openpgp