Mozilla Thunderbird email client could have been abused to impersonate senders
Secure email client was saving users' OpenPGP keys in plain text
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Mozilla’s open sourceemail clientThunderbird has been saving the OpenPGP keys of some users in plain text for the past few months following a code rewrite.
The vulnerability, tracked asCVE-2021-29956, has been given a low severity rating by the company and exists in versions 78.8.1 to 78.10.1 of its email client. Thankfully though, it has now been patched by the developer who introduced it in the first place while trying to add extra protection to the secret keys used byThunderbird.
The bug was first discovered a few weeks ago when a user on the company’s E2EE mailing list noticed that they were able to view OpenPGP-encrypted emails withoutentering their master password. Normally in Thunderbird, users first have to authenticate themselves before being able to viewsecure emailmessages.
By viewing and copying these OpenPGP keys, a local attacker could use them to impersonate a sender and send out unwarranted emails to their contacts.
In a newsecurity advisory, Mozilla provided further details on the vulnerability and how it will be fixed in version 78.10.2 of Thunderbird, saying:
“OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user’s local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions.”
OpenPGP keys
In anew reportfromThe Register, the news outlet spoke with security software developer Kai Engert at the Mozilla Thunderbird Project who explained how master passwords are used byFirefoxand Thunderbird to access stored secrets, saying:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“As soon as the user has configured a master password, the first time any of the stored secrets is required by Firefox/Thunderbird, the user will be prompted to enter it. If entered correctly, the symmetric key will be unlocked and remembered for the remainder of the session, and any protected secrets can be unlocked as needed.”
Engert also explained that Thunderbird’s key-handling processes had been rewritten in order to maintain their security and this is when the vulnerability was introduced. Before the code rewrite, the email client would copy a key to the permanent storage area and then protect it using Thunderbird’s automatic OpenPGP password. However, after the rewrite, the keys were protected using the client’s automatic OpenPGP password before being copied to to the permanent storage area.
Engert and the reviewer assumed that the protection to the secret key would be preserved when copying it to the other storage area but this turned out to not be the case which led to users' OpenPGP keys being stored in plain text.
To avoid having their OpenPGP keys exposed, Thunderbird users should update their email client to version78.10.2which protects against the bug.
ViaThe Register
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
7 myths about email security everyone should stop believing
Best Usenet client of 2024
Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind
