Signature spoofing using partially signed emails
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
3 Attachments
#1097 Signature spoofing using partially signed emails
In Postbox 7.056 in connection with Enigmail 3.0.1 a valid signature is displayed although only the first part of the email is signed. This behavior can be reproduced by importing the attached public key and then opening the attached email "partially_signed_pgp-inline.eml".
Assume an attacker Eve is in possession of a valid signature from Alice and wants to send what appears to be an email signed and written by Alice to the victim Bob.
Eve can hide the actual signed text of the partially signed email with a div using HTML and CSS and then add her own arbitrary text while the indication of the valid signature remains (see "html-overlay-attack.eml").
This attack is based on https://github.com/RUB-NDS/Johnny-You-Are-Fired and has similarities with https://sourceforge.net/p/enigmail/bugs/849/
Confirmed. Actually there is code that should prevent from this sort of attacks, but apparently it does not do what it's supposed to.
Fixed with commit 9815dbb5