2018-12-07 14:43:02 UTC
There's an issue in Enigmail that can potentially be abused for
phishing attacks involving WKD and HTTP authentication.
Web Key Directory or WKD  is a feature where OpenPGP keys can be
fetched via a defined web address of the form
Enigmail automatically tries to fetch WKD keys already when writing a
mail, so simply having a mail address in "To" will cause an HTTPS
When the server answers with a HTTP authentication challenge (HTTP code
401) then Enigmail/Thunderbird would open up an HTTP login window.
While the login window will show the hostname, this can be very
confusing for a user. If randomly a login window pops up within a mail
client it's plausible that some users will enter their email
credentials. Here's a video to illustrate the issue:
Similar attacks in browsers have previously been described as
"Cross-Site-Authentication" or XSA .
I think it would be good if the WKD draft would be updated to clarify
that a client should never answer to any 401 authentication requests
from the server.
I discovered this together with Moritz Tremmel (We discovered this by
accident due to a server serving HTTP authentication requests for
every path starting with a dot). After we reported this to Enigmail we
learned that this was previously reported in the public bug tracker: