KDE Messagelib SSL Error Handling Vulnerability in Google Safe Browsing Lookup API

A vulnerability exists in KDE Messagelib versions prior to 25.11.90, where the application ignores SSL errors when interacting with the Google Safe Browsing Lookup API's threatMatches:find feature. This oversight could potentially allow for the spoofing of threat data. It's important to note that the Lookup API is not used by default in Messagelib.

Impact

Exploitation of this vulnerability could lead to incorrect handling of phishing threat data, allowing malicious URLs to be falsely represented as safe or vice versa.

Reproduction

The vulnerability can be reproduced by sending a request to the Google Safe Browsing Lookup API's threatMatches:find method without proper SSL error handling. This can be done by using a version of KDE Messagelib prior to 25.11.90 and configuring the application to use the Lookup API, which may involve overriding default settings or using a custom client implementation that bypasses SSL verification.

Remediation

Users can update to KDE Messagelib version 25.11.90 or later, where this vulnerability has been addressed.