Bug Description:
It is possible to spoof a decrypted message using an image or by creating a similar-looking frameset in HTML (see attachments). This could potentially confuse a user into believing that the message they are receiving is encrypted and therefore to be trusted more than a plaintext email. Without much further extrapolation, the user could believe that replying to this message would automatically be encrypted.
Reproduction Steps:
To reproduce this bug you could encrypt a message to yourself and take a screenshot of it once it is decrypted - then copy/paste it into an email to the victim. Injecting the frameset HTML is slightly more difficult:
In a non-encrypted email, right-click in the message body and “inspect element”
In dev tools window expand
and tags of highlighted element
Right-click and select “Edit as HTML”
Paste the frameset code directly after
Click outside the edit box to save the results
See the frameset appear in the message body, manually tweak font size as necessary
Send the email
Mitigation:
Consider moving encrypted email indicators outside the message body (such as the current location of the lock icon) so that it is more difficult to spoof.
from @dougdeperry: