Allele Security Alert
Message Signature Bypass
OpenPGP.js versions before 4.2.0
OpenPGP.js version 4.2.0
Proof of concept
During verification of a message signature, OpenPGP.js does not verify that the signature is of type text. An attacker could therefore construct a message that, instead of a text signature, contains a signature of another type. As the input required for the verification process depends on the signature type, an attacker could use a signature with a type that only verifies its subpackets and does not require additional input.
An attacker could construct a message that contains a valid “standalone” or “timestamp” signature packet signed by another person. OpenPGP.js would incorrectly assume this message to be signed by that person.
Wolfgang Ettlinger (SEC Consult Vulnerability Lab)
Multiple Vulnerabilities in OpenPGP.js
Mailvelope Extensions Security Audit
Mailvelope Extensions Security Audit [PDF]
Release v4.2.0 – Security Release · openpgpjs/openpgpjs
Only accept binary or text signatures when verifying messages
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 4, 2019