The difficulty raises considerations concerning the trustworthiness of encrypted communications counting on the library.
“With the intention to spoof a message, the attacker wants a single legitimate message signature (inline or indifferent) in addition to the plaintext information that was legitimately signed and might then assemble an inline-signed message or signed-and-encrypted message with any information of the attacker’s alternative, which is able to seem as legitimately signed by affected variations of OpenPGP.js,” the advisory famous.
The flaw would permit attackers to change the content material of inline-signed messages whereas nonetheless producing a consequence that signifies the signature is legitimate.
In instances involving each signed and encrypted messages, an attacker with entry to a professional signature may encrypt a distinct message of their selecting and have it seem authenticated.
