The audit revealed various vulnerabilities in the project’s previous versions of Mailvelope and the OpenPGP.js crypto library.
For example, one of the vulnerabilities found describes the execution of an Invalid Curve Attack, an attack on the Elliptic Curve Cryptography implementation. Under special conditions, this vulnerability could have allowed an attacker to read out private PGP keys of a victim and thus be able to read encrypted emails, for example.
Other vulnerabilities would have allowed (under special conditions) an attacker to fake signatures, subjugate manipulated key material, or manipulate browser extension settings.
SEC Consult has been able to uncover this and many more vulnerabilities as part of an in-depth analysis and is proud to have contributed to the security and quality of these open source projects.
More about Mailvelope:
- Press release by the BSI (German)