oss-sec mailing list archives
Enigmail XSA issue with WKD and HTTP authentication
From: Hanno Böck <hanno () hboeck de>
Date: Fri, 7 Dec 2018 15:43:02 +0100
Hi, There's an issue in Enigmail that can potentially be abused for phishing attacks involving WKD and HTTP authentication. Web Key Directory or WKD [1] is a feature where OpenPGP keys can be fetched via a defined web address of the form https://example.org/.well-known/./openpgpkey/hu/[zbase32_sha1_hash_of_local_part] Enigmail automatically tries to fetch WKD keys already when writing a mail, so simply having a mail address in "To" will cause an HTTPS request. When the server answers with a HTTP authentication challenge (HTTP code 401) then Enigmail/Thunderbird would open up an HTTP login window. While the login window will show the hostname, this can be very confusing for a user. If randomly a login window pops up within a mail client it's plausible that some users will enter their email credentials. Here's a video to illustrate the issue: https://www.youtube.com/watch?v=eFSMBX98XiE Similar attacks in browsers have previously been described as "Cross-Site-Authentication" or XSA [2]. I think it would be good if the WKD draft would be updated to clarify that a client should never answer to any 401 authentication requests from the server. I discovered this together with Moritz Tremmel (We discovered this by accident due to a server serving HTTP authentication requests for every path starting with a dot). After we reported this to Enigmail we learned that this was previously reported in the public bug tracker: https://sourceforge.net/p/enigmail/bugs/890/ [1] https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07 [2] http://www.joachim-breitner.de/blog/56-Like_XSS,_just_simpler_and_harder_to_prevent__The_Cross_Site_Auth_(XSA)_Attack -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Current thread:
- Enigmail XSA issue with WKD and HTTP authentication Hanno Böck (Dec 07)