Multiple from fields in email header allow spoofing of OpenPGP signatures
Categories
(MailNews Core :: Security: OpenPGP, defect)
Tracking
(thunderbird_esr91+ fixed, thunderbird_esr102 unaffected)
| Tracking | Status | |
|---|---|---|
| thunderbird_esr91 | + | fixed |
| thunderbird_esr102 | --- | unaffected |
People
(Reporter: jorep, Assigned: mkmelin)
References
Details
(Keywords: sec-other)
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Steps to reproduce:
- Take an email signed with OpenPGP, where the public key of the signer was also imported into Thunderbird.
- Edit the source of the email by adding a second from field with another email address before the existing from field.
- Open the edited email with Thunderbird.
Actual results:
Thunderbird displays the email address of the first from field as the sender and it indicates a "Good Digital Signature".
Expected results:
Thunderbird should display an "Uncertain Digital Signature" because there is a mismatch between the shown email address of the sender and the email address which belongs to the signer's public key.
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 1•4 years ago
|
||
We display all the From addresses if there are many - so not sure there is much room for confusion.
|
Reporter | |
Comment 2•4 years ago
|
||
(In reply to Magnus Melin [:mkmelin] from comment #1)
We display all the From addresses if there are many - so not sure there is much room for confusion.
That's not the case for me. If an email is built like in the following, then I can only see bob@example.com as the sender in the "From" section.
To: alice@example.com
From: bob@example.com
From: eve@example.com
Nevertheless, if Eve has signed the email, a valid signature is displayed.
I can send you a sample email with the associated public key if that helps.
|
|
Assignee | |
Comment 3•4 years ago
|
||
Oh I thought you meant From: a, b
But yes, send me a sample
|
|
Reporter | |
Comment 4•4 years ago
|
||
This attachment contains an sample email and the associated public key. The attack originates from the Paper "Johnny, you are fired!" (https://github.com/RUB-NDS/Johnny-You-Are-Fired).
|
|
Assignee | |
Comment 5•4 years ago
|
||
Yeah I see this. The problem is bug 310189 really...
|
|
Reporter | |
Comment 6•3 years ago
|
||
With the fix of bug 310189 in TB 91.7, this vulnerability seems to be solved for new incoming emails. However, there is no mention of this vulnerability in the security advisory of TB 91.7 (https://www.mozilla.org/en-US/security/advisories/mfsa2022-12/) and this bug is still open. Do I miss something here?
|
|
||
Comment 7•3 years ago
|
||
(In reply to Jonathan von Niessen from comment #6)
With the fix of bug 310189 in TB 91.7, this vulnerability seems to be solved for new incoming emails. However, there is no mention of this vulnerability in the security advisory of TB 91.7 (https://www.mozilla.org/en-US/security/advisories/mfsa2022-12/) and this bug is still open. Do I miss something here?
Perhaps because this bug didn't receive a security rating, and bug 310189 itself wasn't rated a security vulnerability.
Should we open remove sec sensitive on this bug report?
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 8•3 years ago
|
||
For this bug, I just want to add a test, then we can close it.
|
||
Comment 9•3 years ago
|
||
Magnus, as a first step, do you want to describe how the test would work?
|
|
Assignee | |
Comment 10•3 years ago
|
||
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 11•3 years ago
|
||
Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/2807342723d7
Test OpenPGP key verification only uses the first From. r=kaie
Description
•