Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319

Blog

Mozilla Thunderbird email client could have been abused to impersonate senders

Image Description

Mozilla's open source email client Thunderbird has been saving the OpenPGP keys of some users in plain text for the past few months following a code rewrite.

The vulnerability, tracked as CVE-2021-29956, has been given a low severity rating by the company and exists in versions 78.8.1 to 78.10.1 of its email client. Thankfully though, it has now been patched by the developer who introduced it in the first place while trying to add extra protection to the secret keys used by Thunderbird.

The bug was first discovered a few weeks ago when a user on the company's E2EE mailing list noticed that they were able to view OpenPGP-encrypted emails without entering their master password. Normally in Thunderbird, users first have to authenticate themselves before being able to view secure email messages.

By viewing and copying these OpenPGP keys, a local attacker could use them to impersonate a sender and send out unwarranted emails to their contacts.

In a new security advisory, Mozilla provided further details on the vulnerability and how it will be fixed in version 78.10.2 of Thunderbird, saying:

“OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions.”

OpenPGP keys

In a new report from The Register, the news outlet spoke with security software developer Kai Engert at the Mozilla Thunderbird Project who explained how master passwords are used by Firefox and Thunderbird to access stored secrets, saying:

“As soon as the user has configured a master password, the first time any of the stored secrets is required by Firefox/Thunderbird, the user will be prompted to enter it. If entered correctly, the symmetric key will be unlocked and remembered for the remainder of the session, and any protected secrets can be unlocked as needed.” 

Engert also explained that Thunderbird's key-handling processes had been rewritten in order to maintain their security and this is when the vulnerability was introduced. Before the code rewrite, the email client would copy a key to the permanent storage area and then protect it using Thunderbird's automatic OpenPGP password. However, after the rewrite, the keys were protected using the client's automatic OpenPGP password before being copied to to the permanent storage area.

Engert and the reviewer assumed that the protection to the secret key would be preserved when copying it to the other storage area but this turned out to not be the case which led to users' OpenPGP keys being stored in plain text.

To avoid having their OpenPGP keys exposed, Thunderbird users should update their email client to version 78.10.2 which protects against the bug.

Via The Register

Date

25 May 2021

Sources

Share

Other Blog

  • This fake crypto exchange has swindled millions from its victims

    Proofpoint has discovered several campaigns that try to lure in victims with the promise of tens of thousands of dollars in Bitcoin.

    Read More

  • RTX 3060, RTX 3060 Ti, and RTX 3070 on Newegg Shuffle for a limited time

    The latest Newegg Shuffle for March 9 is live, offering up RTX 3060, RTX 3060 Ti, and RTX 3070 graphics cards for a limited time.

    Read More

  • Apple Labor Day sale 2021: epic deals on iPads, AirPods, Apple Watch, and MacBooks

    The 2021 Apple Labor Day sales event includes fantastic deals on AirPods, iPads, MacBooks and the Apple Watch 6.

    Read More

  • Microsoft is building custom chips for the US military

    The US National Security Technology Accelerator (NSTXL) has selected Microsoft and Qualcomm to build custom chips for the US military as part of the second phase of the Rapid Assured Microelectronics Prototypes (RAMP) project.

    Microsoft explains that historically the security requirements associated with developing microelectronics for the military have limited the ability of the US Department of Defense (DoD) to leverage the latest innovations. 

    However, the idea with RAMP is to “leverage commercial best practices to help accelerate the development process and bring reliable, secure state-of-the-art microelectronic design and manufacturing to national security and defense applications.”

    Earlier in August, NSTXL had awarded a similar contract to chipmakers Intel and Qualcomm, as part of RAMP-Commercial (RAMP-C) program.

    Defense supply chain

    Microsoft explains that DoD hopes to leverage the RAMP project to employ a scalable microelectronic supply chain, while ensuring that the design and manufacturing meets its security and compliance requirements.

    As part of its role in the second phase of the RAMP project, Microsoft has engaged several microelectronics partners across the commercial and defense industrial base, including BAE Systems, Cadence Design Systems, GlobalFoundries, Siemens EDA,  Raytheon Intelligence and Space, and others.

    Without sharing any details about the chips that’ll be designed in this phase, Microsoft says the objective with the new designs is to help lower power consumption, improve performance, reduce physical size, and improve their reliability for use in DoD systems.

    “The RAMP solution will provide an advanced microelectronics development platform for mission-critical applications, with cloud, AI [artificial intelligence], and machine learning-enabled automation, security, and quantifiable assurance,” shared Microsoft, adding that it will host the solution in Azure Government.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us