Hanno Böck
2018-12-07 14:43:02 UTC
Hi,
There's an issue in Enigmail that can potentially be abused for
phishing attacks involving WKD and HTTP authentication.
Web Key Directory or WKD [1] is a feature where OpenPGP keys can be
fetched via a defined web address of the form
https://example.org/.well-known/./openpgpkey/hu/[zbase32_sha1_hash_of_local_part]
Enigmail automatically tries to fetch WKD keys already when writing a
mail, so simply having a mail address in "To" will cause an HTTPS
request.
When the server answers with a HTTP authentication challenge (HTTP code
401) then Enigmail/Thunderbird would open up an HTTP login window.
While the login window will show the hostname, this can be very
confusing for a user. If randomly a login window pops up within a mail
client it's plausible that some users will enter their email
credentials. Here's a video to illustrate the issue:
Similar attacks in browsers have previously been described as
"Cross-Site-Authentication" or XSA [2].
I think it would be good if the WKD draft would be updated to clarify
that a client should never answer to any 401 authentication requests
from the server.
I discovered this together with Moritz Tremmel (We discovered this by
accident due to a server serving HTTP authentication requests for
every path starting with a dot). After we reported this to Enigmail we
learned that this was previously reported in the public bug tracker:
https://sourceforge.net/p/enigmail/bugs/890/
[1] https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07
[2]
http://www.joachim-breitner.de/blog/56-Like_XSS,_just_simpler_and_harder_to_prevent__The_Cross_Site_Auth_(XSA)_Attack
There's an issue in Enigmail that can potentially be abused for
phishing attacks involving WKD and HTTP authentication.
Web Key Directory or WKD [1] is a feature where OpenPGP keys can be
fetched via a defined web address of the form
https://example.org/.well-known/./openpgpkey/hu/[zbase32_sha1_hash_of_local_part]
Enigmail automatically tries to fetch WKD keys already when writing a
mail, so simply having a mail address in "To" will cause an HTTPS
request.
When the server answers with a HTTP authentication challenge (HTTP code
401) then Enigmail/Thunderbird would open up an HTTP login window.
While the login window will show the hostname, this can be very
confusing for a user. If randomly a login window pops up within a mail
client it's plausible that some users will enter their email
credentials. Here's a video to illustrate the issue:
Similar attacks in browsers have previously been described as
"Cross-Site-Authentication" or XSA [2].
I think it would be good if the WKD draft would be updated to clarify
that a client should never answer to any 401 authentication requests
from the server.
I discovered this together with Moritz Tremmel (We discovered this by
accident due to a server serving HTTP authentication requests for
every path starting with a dot). After we reported this to Enigmail we
learned that this was previously reported in the public bug tracker:
https://sourceforge.net/p/enigmail/bugs/890/
[1] https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07
[2]
http://www.joachim-breitner.de/blog/56-Like_XSS,_just_simpler_and_harder_to_prevent__The_Cross_Site_Auth_(XSA)_Attack
--
Hanno Böck
https://hboeck.de/
mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Hanno Böck
https://hboeck.de/
mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42