Security News > 2021 > May > Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu
Mozilla Thunderbird spent the last couple of months saving some users' OpenPGP keys in plain text - but that's now been patched, the author of both the bug and the patch fixing it has told The Register.
The vulnerability, assessed as "Low" impact by Mozilla, existed in the free open source Thunderbird email client between version 78.8.1 and version 78.10.1 after a crestfallen maintainer realised carefully designed protections were in fact not protecting users' private OpenPGP keys.
Tracked as CVE-2021-29956, the vuln saw imported OpenPGP keys saved to users' devices without encryption.
When the key was copied to permanent storage, that protection didn't travel with it, due to what Engert told us was an error in the RNP software library, used in Thunderbird and Mozilla's Firefox browser to protect OpenPGP keys.
Thunderbird version 78.10.2 protects against the bug, and later versions of the email client will, so we're told, check if there are any unprotected keys in secring.
Gpg, with Engert adding: "If such keys are found, they will be converted to protected keys." Fuller details of the fix are available on Bugzilla.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-24 | CVE-2021-29956 | Cleartext Storage of Sensitive Information vulnerability in Mozilla Thunderbird OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. | 4.3 |