Vulnerability in Pep

Due to a vulnerability in the Pretty Easy Privacy feature, the Thunderbird Enigmail extension sometimes sent unencrypted e-mail that should have been encrypted. The cause was found and the problem solved. The software Pretty Easy Privacy (Pep) simplifies the handling of OpenPGP. It is delivered with the Thunderbird extension Enigmail. Due to a fatal error in the Windows version of the software, under certain circumstances emails could be transmitted unencrypted. The user was mistakenly informed that the e-mails had been encrypted. The bug was fixed by the Pep Foundation, who developed the software.

The bug was founded with version 1.0.23 of September 26th. The Pep Foundation responded immediately to the discovery of the vulnerability and pulled back the version on October 3. With the current version 1.0.24 the problem has been solved. It also introduced new tests and better error handling for Enigmail. The cause of the vulnerability was a build error in the Windows version of Enigmail / Pep. An unlinked library in Pep resulted in a crash and unencrypted messages. Enigmail sent the unencrypted e-mails for lack of appropriate error handling.

The footer still showed the ad “Privacy Status: Secure & Trusted”, which is supposed to appear only if the emails are encrypted. As a preliminary workaround, the Pep developers recommended that you switch off the Junior mode and only use the normal Enigmail functionality. With the new version this can be activated again safely.

LEAVE A REPLY

Please enter your comment!
Please enter your name here