Signature Spoofing via Inline-PGP in HTML Mails

OpenPGP addon for Mozilla Thunderbird

Brought to you by: pbrunschwig

#849 Signature Spoofing via Inline-PGP in HTML Mails

Status: fixed

Owner: nobody

Labels: None

Found in Version: 2.0.5

Severity: Major

Thunderbird version:

GnuPG version:

Operating System: All

Fixed in version: 2.0.6

Cc: nobody

Updated: 2018-05-27

Created: 2018-05-27

Creator: Patrick Brunschwig

Private: No

If an attacker creates a HTML mail containing a signed inline-PGP message part, then Enigmail would display a "good signature" instead of saying that the message is only partially signed. Example attached.

1 Attachments

pgp-signature-spoofing.txt

Discussion

Patrick Brunschwig - 2018-05-27

private: Yes --> No
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Signature Spoofing via Inline-PGP in HTML Mails

OpenPGP addon for Mozilla Thunderbird

Searches

Help

#849 Signature Spoofing via Inline-PGP in HTML Mails

Discussion