Security researcher Marcus Brinkmann has discovered a security flaw in GnuPG which potentially allowed attackers to spoof the digital signatures of nearly any person with a public key, Ars Technica reported.
Dubbed SigSpoof, Brinkmann said the vulnerability has the potential to affect a large part of the web’s core infrastructure.
“GnuPG is not only used for email security, but also to secure backups, software updates in distributions, and source code in version control systems like Git,” said Brinkmann.
Indexed as CVE-2018-12020, the flaw affects GnuPG only when it enables its verbose setting, which is typically used in troubleshooting.
While verbose mode was not enabled by default in vulnerable programs, several recommended configurations listed online have it turned on.
With verbose mode enabled, the Brinkmann’s proof-of-concept attack works by hiding metadata in an encrypted message which tricks applications to treat it as if the signature has been verified.
Programs like Enigmail and GPGTools then cause email applications such as Thunderbird or Apple Mail to incorrectly show that an email was cryptographically signed. All the attacker needs to forge a digital signature is to have a public key or key ID.
SigSpoof has been patched in GnuPG version 2.2.8, Enigmail 2.0.7, GPGTools 2018.3, and Python GnuPG 0.4.3.