On Mon, May 14, 2018 at 04:59:12PM -0700, George Georgalis wrote:
|Could someone clarify how this attack scenario plays out? Are these
|pgp/html mail clients actually so broke that they would send crypto
|secrets as part of an http request while rendering a malicious email?
my understanding is that the text/html portion of the email is laced
with strings which match the MIME boundary marker and a pgp-encrypted
block containing the message that the attacker wants to decrypt. certain
mail clients will do this and then drop the resultant cleartext into the
same memory location as the pre-rendered HTML portion of the email[1].
In their example, the plaintext is appended to the end of an image url,
so that when the mail reader gets to the point of rendering the html,
the link fires and the exfil occurs with the HTTP GET request
the basic issue is that text/plain and text/html forms can be
constructed so that the mime boundary isn't properly escaped (which is
the basic exploit here) - if mail readers insisted on base64 encoded
html when encountering pgp-encrypted email, I think the problem would go
away ...
Regards,
Malcolm
[1] the paper asserts that this occurs, I have no idea the actual mechanism