Open andrewgdotcom opened 8 years ago
andrewgdotcom
commented
8 years ago outlook-privacy-plugin-exploit.txt I've just confirmed a proof of concept email that performs this attack - all I needed to do was replace one hyphen with a soft hyphen.
Meddington
commented
8 years ago Yes, this is a known issue. Currently the workaround is to utalize the message preview. Since we do not perform any sig validation or decryption in the preview, you can see if the header is active.
The longer term plan has always been to integrate into the outlook UI. In fact there is an exploritory branch with some work done towards this.
Patches are always welcome if anyone wants to finish the work.
It appears that the plugin's output is prepended to the message content before passing to the viewer subroutine, rather than being marked in the application chrome (as in enigmail):
\ Valid signature from "Andrew Gallagher andrew.gallagher@ward.ie" with KeyItemId 14A49700.
The plugin output is thus indistinguishable from the original mail content. The viewer subroutine renders it as if it were part of the original mail, and so it is also indistinguishable by the end user. This opens an attack that renders the plugin untrustworthy for signature verification.
An adversary could craft a message that would appear to be a PGP signed message to the human eye but not to the plugin (e.g., by substituting nonprinting or alternative charset characters in the "-----BEGIN PGP SIGNED MESSAGE-----" header) and then prepend a faked "Valid signature" notification, so that the end user is tricked into believing that the plugin has been called and has verified the message successfully. The only indication that the plugin has not run would be the greying out of the "verify" button in the top right corner - this is far from obvious and would be easily missed under normal circumstances.
Solution: The plugin should mimic enigmail's behaviour:
a) it should not alter the content of the mail (except possibly to collapse PGP metadata that has been successfully processed)
b) it should display a brightly coloured indicator in a more prominent position in the application chrome, e.g. a horizontal bar separate from the main content.