Select Page

A security researcher has discovered a critical vulnerability in some of the world’s most popular and widely used email encryption clients that use OpenPGP standard and rely on GnuPG for encrypting and digitally signing messages.

The disclosure comes almost a month after researchers revealed a series of flaws, dubbed eFail, in PGP and S/Mime encryption tools that could allow attackers to reveal encrypted emails in plaintext, affecting a variety of email programs, including Thunderbird, Apple Mail, and Outlook.

Software developer Marcus Brinkmann discovered that an input sanitisation vulnerability, which he dubbed SigSpoof, makes it possible for attackers to fake digital signatures with someone’s public key or key ID, without requiring any of the private or public keys involved.

images from Hacker News