- On 22. Aug 2019
Mailvelope allows encryption, decryption or signing of e-mails directly in the browser as well as to perform a signature check on e-mails. In order to further improve and develop the browser extension, SEC Consult was tasked by the BSI to do a security test.
The audit revealed various vulnerabilities in the project’s previous versions of Mailvelope and the OpenPGP.js crypto library.
For example, one of the vulnerabilities found describes the execution of an Invalid Curve Attack, an attack on the Elliptic Curve Cryptography implementation. Under special conditions, this vulnerability could have allowed an attacker to read out private PGP keys of a victim and thus be able to read encrypted emails, for example.
Other vulnerabilities would have allowed (under special conditions) an attacker to fake signatures, subjugate manipulated key material, or manipulate browser extension settings.
SEC Consult has been able to uncover this and many more vulnerabilities as part of an in-depth analysis and is proud to have contributed to the security and quality of these open source projects.
More about Mailvelope:
Interested in working with SEC Consult experts? Send us your application. Would you like to improve your own cyber security with SEC Consult experts? Contact our local offices.