The security flaw was discovered when researchers at Counterpane
Internet Security and Columbia University found a way to modify
e-mail messages encrypted by PGP without having to decrypt them.
The ‘attacks’ were tested on PGP 2.6.2 and GnuPG.
It appears that the flaw allows potential attackers to intercept
an e-mail, apply an algorithm to “repackage” the message and then
pass it along to the intended recipient with the interceptor’s
address in the reply line.
The text of the modified message would appear as gibberish,
possibly prompting the recipient to request a re-send. If the
recipient includes the original text in the request, the
interceptor may be able to determine the original message.
This could happen easily, since most users configure their
software to automatically include the original text of an e-mail in
re-sent requests.
According to the researchers, the flaw is difficult to exploit,
and users may largely prevent attacks by compressing data before
encryption (compression is turned on by default).
However, they claimed that implementations precisely adhering to
Open PGP standard would still be vulnerable. This is because the
standard does not explicitly require integrity checks of messages
and the implementation of compression is optional.
At the same time, a San Francisco-based independent security
researcher claimed that Microsoft Internet Explorer fails to check
the validity of digital certificates and exposes on-line shoppers
to interceptions of their personal data. Microsoft said that it is
not dismissing the report, but it pointed out that the report is
based on only a “preliminary investigation.”
