Audit found several holes in Enigmail

Mozillas Secure Open Source Fund and Posteo found several holes which could be abused in Thunderbird extension Enigmail.


The hole called TBE-01-002 abuses the funcs.jsm email parser function. This function normally is there to extract eMail addresses but it seems that it’s attackable by regular expressions.

TBE-01-005 allows an attacker to see encrypted eMails in plain text which is horrible. It works like a MITM attack to catch the eMail.

TBE-01-021 allows to fake the address header so that a receiver thinks the message is legitimate send from user x.

The audit shows several other holes which affects the implementation of Pretty Easy Privacy. math.random(). gets attacked here by using none unqie number generation. This also opens the way for DoS attacks.

The good news is that Posteo and Mozilla now working together to fix all of the mentioned holes and the extension then gets an update. It’s also mentioned that Enigmail gets the Posteo autocrypt procedure to make it easier to work with encrypted eMails.