Security News > 2021 > May > Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu

Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu
2021-05-24 17:15

Mozilla Thunderbird spent the last couple of months saving some users' OpenPGP keys in plain text - but that's now been patched, the author of both the bug and the patch fixing it has told The Register.

The vulnerability, assessed as "Low" impact by Mozilla, existed in the free open source Thunderbird email client between version 78.8.1 and version 78.10.1 after a crestfallen maintainer realised carefully designed protections were in fact not protecting users' private OpenPGP keys.

Tracked as CVE-2021-29956, the vuln saw imported OpenPGP keys saved to users' devices without encryption.

When the key was copied to permanent storage, that protection didn't travel with it, due to what Engert told us was an error in the RNP software library, used in Thunderbird and Mozilla's Firefox browser to protect OpenPGP keys.

Thunderbird version 78.10.2 protects against the bug, and later versions of the email client will, so we're told, check if there are any unprotected keys in secring.

Gpg, with Engert adding: "If such keys are found, they will be converted to protected keys." Fuller details of the fix are available on Bugzilla.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/05/24/mozilla_thunderbird_openpgp_plaintext_keys/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-06-24 CVE-2021-29956 Cleartext Storage of Sensitive Information vulnerability in Mozilla Thunderbird
OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk.
network
low complexity
mozilla CWE-312
4.3

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Mozilla 29 13 631 583 266 1493