Digital signatures confirm the sender of an email is genuine, that an email is authentic, and has not been intercepted and altered in transit. However, vulnerabilities have been identified in the implementation of digital signature technology in several popular email clients which could be exploited in digital signature spoofing attacks.
Were that to happen, the recipient of an email would likely believe the communication is genuine and may take actions requested in the message. That may involve replying and attaching or disclosing sensitive information or making a fraudulent wire transfer, as is common in business email compromise attacks.
The vulnerabilities exist in how OpenPGP and S/MIME email signatures are implemented in a range of email clients and were identified by researchers at Ruhr University Bochum and Münster University of Applied Sciences.
The researchers tested 20 popular Windows, macOS, iOS, Android, and Linux email clients and found 14 were vulnerable to at least one type of digital signature spoofing attack. Affected mail clients include Microsoft Outlook, Thunderbird, Apple Mail with GPGTools, iOS mail, KMail, Roundcube, and Evolution.
In tests, the spoofed email signatures were indistinguishable from emails with genuine digital signatures. Some of the attacks also indicated to the recipient that an email had been encrypted in transit, when it had actually been sent in cleartext.
While it is possible to determine whether the digital signatures have been spoofed by investigating further, it is a concern as most people would not perform any further checks to determine the authenticity of an email if it had been digitally signed.
Five different categories of vulnerabilities were identified:
- CMS Attacks: Mishandling of Cryptographic Message Syntax (CMS) with unusual data structures such as multiple signers.
- GPG API Attacks: Improper parsing of inputs which could allow the injection of arbitrary strings into GnuPG status line API and logging measures. This allows successful signature verification to be displayed for arbitrary public keys.
- MIME Attacks: Vulnerabilities in the handling of partially signed messages leading to unsigned text being coupled with an unrelated signature
- ID Attacks: Flaws in the binding of signed messages to the sender identity which allow valid signatures to be displayed from a trusted communication partner in the mail header.
- UI Attacks: User Interface redressing attacks involving the mimicking of IU elements of an email client to display a valid email signature.
The findings were reported to the various email client developers, most of which have addressed the vulnerabilities in the latest versions of their mail clients.