Enigmail XSA issue with WKD and HTTP authentication
(too old to reply)
Hanno Böck
2018-12-07 14:43:02 UTC

There's an issue in Enigmail that can potentially be abused for
phishing attacks involving WKD and HTTP authentication.

Web Key Directory or WKD [1] is a feature where OpenPGP keys can be
fetched via a defined web address of the form

Enigmail automatically tries to fetch WKD keys already when writing a
mail, so simply having a mail address in "To" will cause an HTTPS

When the server answers with a HTTP authentication challenge (HTTP code
401) then Enigmail/Thunderbird would open up an HTTP login window.
While the login window will show the hostname, this can be very
confusing for a user. If randomly a login window pops up within a mail
client it's plausible that some users will enter their email
credentials. Here's a video to illustrate the issue:

Similar attacks in browsers have previously been described as
"Cross-Site-Authentication" or XSA [2].

I think it would be good if the WKD draft would be updated to clarify
that a client should never answer to any 401 authentication requests
from the server.

I discovered this together with Moritz Tremmel (We discovered this by
accident due to a server serving HTTP authentication requests for
every path starting with a dot). After we reported this to Enigmail we
learned that this was previously reported in the public bug tracker:

[1] https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07
Hanno Böck

mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42