OpenPGP.js Signature Verification Spoofing Vulnerability

A vulnerability in OpenPGP.js, a JavaScript implementation of the OpenPGP protocol, allows for spoofing signature verifications of inline (non-detached) signed messages and signed-and-encrypted messages. This issue is present in OpenPGP.js versions 5.0.1 prior to 5.11.3 and 6.0.0-alpha.0 prior to 6.1.1. The vulnerability arises because a maliciously modified message can be passed to the 'openpgp.verify' or 'openpgp.decrypt' functions. These functions may return a valid signature verification result along with data that was not actually signed, thereby allowing an attacker to manipulate the perceived authenticity of messages.

Impact

Exploitation of this vulnerability allows an attacker to spoof signature verifications, making it appear that a message was legitimately signed when it was not. This could lead to unauthorized actions being taken based on the false assumption that a message's authenticity has been verified.

Remediation

Users can upgrade to OpenPGP.js versions 5.11.3 or 6.1.1 to address this vulnerability. Additionally, when verifying inline-signed messages, extract the message and signature(s) from the message returned by 'openpgp.readMessage', and verify each signature as a detached signature by passing the signature and a new message containing only the data (created using 'openpgp.createMessage') to 'openpgp.verify'. When decrypting and verifying signed-and-encrypted messages, decrypt and verify the message in two steps: first, call 'openpgp.decrypt' without 'verificationKeys', and then pass the returned signature(s) and a new message containing the decrypted data (created using 'openpgp.createMessage') to 'openpgp.verify'.