Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu

Mozilla Thunderbird spent the last couple of months saving some users’ OpenPGP keys in plain text – but that’s now been patched, the author of both the bug and the patch fixing it has told The Register.

The vulnerability, assessed as “low” impact by Mozilla, existed in the free open source Thunderbird email client between version 78.8.1 and version 78.10.1 after a crestfallen maintainer realised carefully designed protections were in fact not protecting users’ private OpenPGP keys.

Tracked as CVE-2021-29956, the vuln saw imported OpenPGP keys saved to users’ devices without encryption. A local attacker could therefore have viewed and copied the keys, allowing them to pose as the genuine sender of supposedly secure emails.

Thunderbird maintainer Kai Engert told The Register: “It was my personal mistake to not have explicitly tested my assumption.”

A few weeks ago some Thunderbird users on the desktop email client’s end-to-end encryption mailing list realised that on opening the program, they were able to view OpenPGP-encrypted emails without entering their master passwords. In Thunderbird, such messages are only supposed to be viewable after authenticating yourself.

“As soon as the user has configured a master password, the first time any of the stored secrets is required by Firefox/Thunderbird, the user will be prompted to enter it,” explained Engert. “If entered correctly, the symmetric key will be unlocked and remembered for the remainder of the session, and any protected secrets can be unlocked as needed.”

Assumption is the mother of...

Engert went on to say precisely what went wrong. These key-handling processes were rewritten with the intention of maintaining their security. Before that code rewrite, Thunderbird’s process for handling newly imported OpenPGP keys was:

1. import the secret key into a memory temporary area
2. unlock the key using the user-provided password
3. copy the key to the permanent storage area
4. protect the key using Thunderbird's automatic OpenPGP password
5. save the new list of secret keys to disk

After the rewrite, Engert said, the new chain of events had become:

1. import the secret key into a memory temporary area
2. unlock the key using the user-provided password
3. protect the key using Thunderbird's automatic OpenPGP password
4. copy the key to the permanent storage area
5. save the new list of secret keys to disk

Spot the changed order of steps 3 and 4.

"The code author (me) and the reviewer both assumed that this would be equivalent," said Engert. "The assumption was: the protection to the secret key in step 3 would be preserved when copying it to the other storage area... the assumption was false."

• Thunderbird implements PGP crypto feature requested 21 years ago
• Cred-stealing trojan harvests logins from Chromium browsers, Outlook and more, warns Cisco Talos
• Google to revive RSS support in Chrome for Android
• Uptime funk: Microsoft has lifted availability of Azure Key Vault to 99.99%

In fact, when the key was copied to permanent storage, that protection didn't travel with it, due to what Engert told us was an error in the RNP software library, used in Thunderbird and Mozilla's Firefox browser to protect OpenPGP keys.

Thunderbird version 78.10.2 protects against the bug, and later versions of the email client will, so we’re told, check if there are any unprotected keys in secring.gpg, with Engert adding: “If such keys are found, they will be converted to protected keys.” Fuller details of the fix are available on Bugzilla.

Thunderbird previously used the Enigmail addon’s implementation of OpenPGP until native support was announced last August.

Back in January 2020 Mozilla moved Thunderbird to a subsidiary of its main foundation, in the evident hope of increasing its takeup and commercialisation. ®