Discussion:
Enigmail XSA issue with WKD and HTTP authentication
(too old to reply)
Hanno Böck
2018-12-07 14:43:02 UTC
Permalink
Hi,

There's an issue in Enigmail that can potentially be abused for
phishing attacks involving WKD and HTTP authentication.

Web Key Directory or WKD [1] is a feature where OpenPGP keys can be
fetched via a defined web address of the form
https://example.org/.well-known/./openpgpkey/hu/[zbase32_sha1_hash_of_local_part]

Enigmail automatically tries to fetch WKD keys already when writing a
mail, so simply having a mail address in "To" will cause an HTTPS
request.

When the server answers with a HTTP authentication challenge (HTTP code
401) then Enigmail/Thunderbird would open up an HTTP login window.
While the login window will show the hostname, this can be very
confusing for a user. If randomly a login window pops up within a mail
client it's plausible that some users will enter their email
credentials. Here's a video to illustrate the issue:


Similar attacks in browsers have previously been described as
"Cross-Site-Authentication" or XSA [2].

I think it would be good if the WKD draft would be updated to clarify
that a client should never answer to any 401 authentication requests
from the server.


I discovered this together with Moritz Tremmel (We discovered this by
accident due to a server serving HTTP authentication requests for
every path starting with a dot). After we reported this to Enigmail we
learned that this was previously reported in the public bug tracker:
https://sourceforge.net/p/enigmail/bugs/890/

[1] https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07
[2]
http://www.joachim-breitner.de/blog/56-Like_XSS,_just_simpler_and_harder_to_prevent__The_Cross_Site_Auth_(XSA)_Attack
--
Hanno Böck
https://hboeck.de/

mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Loading...