======================================================================== Vulnerability Affecting FireGPG Passphrase and Cleartext Recovery 10/20/2008
FireGPG is a Firefox extension that provides a front-end to GPG, allowing webmail users to conveniently exchange GPG messages from Firefox.
Unfortunately, the way that FireGPG handles the user's passphrase and decrypted cleartext is not secure and may result in the compromise of secure communication or a users's private key.
FireGPG does its encrypt/decrypt/sign/verify operations by shelling out to a locally installed GPG executable. The problem is that instead of using stdin/stdout to pass information, it writes everything to disk and passes the files as arguments.
When a user receives an encrypted email and asks FireGPG to decrypt it, FireGPG prompts the user for her passphrase and then creates three temporary files. One for the ciphertext, one for the resulting cleartext (!), and one for the user's passphrase (!). The user's passphrase is then written to disk, and the temporary file in which it resides is passed to the gpg executable as a command-line argument. The cleartext from the decrypt operation is then written to disk as well, from where it is subsequently read and displayed to the user. The same process occurs for emails that are being encrypted and signed. Notably, in the latter cases the pre-encrypted cleartext is written to disk, as is the passphrase for the signing key.
Obviously, there are a number of attack vectors here. If an adversary were to seize the user's disk, they would easily be able to recover the passphrase used in previous FireGPG operations. In that case, all past correspondence secured by that key would be compromised. Even if the user had just changed their passphrase and hadn't used FireGPG since then, the adversary would be still be able to recover copies of decrypted and pre-encrypted cleartext emails that touched the disk.
Additionally, as another vector of attack, the temporary files that FireGPG creates for storing this information are constructed with predictable filenames. It is possible for someone with an account on the same machine to exploit the race condition that results at the time these files are created, such that the output from a decrypt operation is written to a symlink which points to a file that they own -- thus eliminating the need for data recovery. There is a working exploit for this.
Users who are serious about securing their data and communication against a threat model that includes others gaining access to their machines (either through hardware seizure or multiple user accounts) should change their passphrases and scrub their disks.
========================================================================= Affected Versions
All versions of FireGPG previous to 0.6 are vulnerable. Version 0.6 was released on 10/17/2008 in response to this issue.
-- Thoughtcrime: http://www.thoughtcrime.org Audio Anarchy: http://www.audioanarchy.org Anarchist Yacht Clubb: http://www.blueanarchy.org