Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 7 Dec 2018 15:43:02 +0100
From: Hanno Böck <>
Subject: Enigmail XSA issue with WKD and HTTP authentication


There's an issue in Enigmail that can potentially be abused for
phishing attacks involving WKD and HTTP authentication.

Web Key Directory or WKD [1] is a feature where OpenPGP keys can be
fetched via a defined web address of the form[zbase32_sha1_hash_of_local_part]

Enigmail automatically tries to fetch WKD keys already when writing a
mail, so simply having a mail address in "To" will cause an HTTPS

When the server answers with a HTTP authentication challenge (HTTP code
401) then Enigmail/Thunderbird would open up an HTTP login window.
While the login window will show the hostname, this can be very
confusing for a user. If randomly a login window pops up within a mail
client it's plausible that some users will enter their email
credentials. Here's a video to illustrate the issue:

Similar attacks in browsers have previously been described as
"Cross-Site-Authentication" or XSA [2].

I think it would be good if the WKD draft would be updated to clarify
that a client should never answer to any 401 authentication requests
from the server.

I discovered this together with Moritz Tremmel (We discovered this by
accident due to a server serving HTTP authentication requests for
every path starting with a dot). After we reported this to Enigmail we
learned that this was previously reported in the public bug tracker:

Hanno Böck

GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.