Mozilla's open source email client (opens in new tab) Thunderbird has been saving the OpenPGP keys of some users in plain text for the past few months following a code rewrite.
The vulnerability, tracked as CVE-2021-29956 (opens in new tab), has been given a low severity rating by the company and exists in versions 78.8.1 to 78.10.1 of its email client. Thankfully though, it has now been patched by the developer who introduced it in the first place while trying to add extra protection to the secret keys used by Thunderbird (opens in new tab).
The bug was first discovered a few weeks ago when a user on the company's E2EE mailing list noticed that they were able to view OpenPGP-encrypted emails without entering their master password (opens in new tab). Normally in Thunderbird, users first have to authenticate themselves before being able to view secure email (opens in new tab) messages.
By viewing and copying these OpenPGP keys, a local attacker could use them to impersonate a sender and send out unwarranted emails to their contacts.
- We've built a list of the best email services (opens in new tab) available
- These are the best email hosting (opens in new tab) providers on the market
- Also check out our roundup of the best antivirus (opens in new tab)
In a new security advisory (opens in new tab), Mozilla provided further details on the vulnerability and how it will be fixed in version 78.10.2 of Thunderbird, saying:
“OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions.”
In a new report (opens in new tab) from The Register, the news outlet spoke with security software developer Kai Engert at the Mozilla Thunderbird Project who explained how master passwords are used by Firefox (opens in new tab) and Thunderbird to access stored secrets, saying:
“As soon as the user has configured a master password, the first time any of the stored secrets is required by Firefox/Thunderbird, the user will be prompted to enter it. If entered correctly, the symmetric key will be unlocked and remembered for the remainder of the session, and any protected secrets can be unlocked as needed.”
Engert also explained that Thunderbird's key-handling processes had been rewritten in order to maintain their security and this is when the vulnerability was introduced. Before the code rewrite, the email client would copy a key to the permanent storage area and then protect it using Thunderbird's automatic OpenPGP password. However, after the rewrite, the keys were protected using the client's automatic OpenPGP password before being copied to to the permanent storage area.
Engert and the reviewer assumed that the protection to the secret key would be preserved when copying it to the other storage area but this turned out to not be the case which led to users' OpenPGP keys being stored in plain text.
To avoid having their OpenPGP keys exposed, Thunderbird users should update their email client to version 78.10.2 (opens in new tab) which protects against the bug.
- Keep your devices virus free with the best malware removal software (opens in new tab)
Via The Register (opens in new tab)