A team of security researchers has discovered several vulnerabilities in various implementations of OpenPGP and S/MIME email signature verification that could allow attackers to spoof signatures on over a dozen of popular email clients.
The affected email clients include Thunderbird, Microsoft Outlook, Apple Mail with GPGTools, iOS Mail, GpgOL, KMail, Evolution, MailMate, Airmail, K-9 Mail, Roundcube and Mailpile.
When you send a digitally signed email, it offers end-to-end authenticity and integrity of messages, ensuring recipients that the email has actually come from you.
However, researchers tested 25 widely-used email clients for Windows, Linux, macOS, iOS, Android and Web and found that at least 14 of them were vulnerable to multiple types of practical attacks under five below-mentioned categories, making spoofed signatures indistinguishable from a valid one even by an attentive user.
The research was conducted by a team of researchers from Ruhr University Bochum and Münster University of Applied Sciences, which includes Jens Müller , Marcus Brinkmann , Damian Poddebniak , Hanno Böck, Sebastian Schinzel , Juraj Somorovsky, and Jörg Schwenk.
“In our scenario, we assume two trustworthy communication partners, Alice and Bob, who have securely exchanged their public PGP keys or S/MIME certificates,” the team explains in a research paper [PDF] published today.
“The goal of our attacker Eve is to create and send an email with arbitrary content to Bob whose email client falsely indicates that the email has been digitally signed by Alice.”
1) CMS Attacks (C1, C2, C3, C4) — Flaws due to mishandling of Cryptographic Message Syntax (CMS), the container format of S/MIME, lead to contradicting or unusual data structures, such as multiple signers or no signers.
2) GPG API Attacks (G1, G2) — Implementation flaws in many email clients fail to properly parse a wide range of different inputs that could allow attackers to inject arbitrary strings into GnuPG status line API and logging messages, tricking clients into displaying successful signature validation for arbitrary public keys.
3) MIME Attacks (M1, M2, M3, M4) — MIME wrapping attacks abuse how email clients handle partially signed messages. These attacks allow attackers to trick email clients into showing an unsigned text while verifying an unrelated signature in another part (which remains invisible).
4) ID attacks (I1, I2, I3) — These attacks rely on the weaknesses in the binding of signed messages to the sender identity by mail clients, allowing attackers to display a valid signature from the identity (ID) of a trusted communication partner located in the mail header.
5) UI Attacks (U1) — User Interface (UI) redressing attacks are successful if attackers found a way to mimic, using HTML, CSS, or inline images, some important UI elements of an email client that could allow them to display an indicator of a valid signature.
Below are the results of all of the above-mentioned signature spoofing attacks tested against various email clients for OpenPGP, where full blacked circle indicator represents “Perfect forgery,” half blacked circle represents “Partial forgery,” and the white one represents “Weak forgery.”