Enigmail PGP plugin forgets to encrypt mail sent as blind copies

Enigmail has patched a hole in the world's most popular PGP email platform that caused mail to be sent unencrypted when all security check boxes were ticked.

The dangerous hole in the Mozilla Thunderbird extension affected email that was sent only to blind carbon copy recipients on all versions below 1.7.2 released last month.

It could mean any Enigmail user, possibly activists and journalists, may have sent apparently encrypted emails that could be read by attackers.

Enigmail dev Nicolai Josuttis explained the bug in a release note.

"On previous versions of Enigmail one could send an encrypted email to a set of BCC recipients," Josuttis said.

"Enigmail would ask if one wants to 'Hide BCC recipients' and then send the email encrypted to all of them without revealing to whom the email was sent.

"Such functionality is missing in version 1.7. Even when marked to be encrypted, an email with only BCC recipients is sent in plain text!"

The email was sent in plaintext after users check boxes to encrypt their message.

Computer Incident Response Center Luxembourg issued an alert stating "remote attackers [could] obtain sensitive information by sniffing the network."

It was assigned CVE-2014-5369 by the OpenWall initiative last month.

Computer scientist posting on the Enigmail support forum blasted the error and expresed dismay at having to tell journalists in an upcoming training session to use command prompt to send email.

"As a serious user (dissident, whistle-blower, diplomatic or military user) I would now be waiting for the bad guys come and get me with their water-board," they wrote on the forum.

The impact of the bug was mitigated by the likelihood that users would send emails using the normal address field and not by blind carbon copy.

Prior to the official patch, the bug was fixed only in a nightly Enigmail build while the vulnerable stable version remained open for download without prominent warning. ®