The problem raises issues concerning the trustworthiness of encrypted communications counting on the library.
“With the intention to spoof a message, the attacker wants a single legitimate message signature (inline or indifferent) in addition to the plaintext information that was legitimately signed and may then assemble an inline-signed message or signed-and-encrypted message with any information of the attacker’s selection, which can seem as legitimately signed by affected variations of OpenPGP.js,” the advisory famous.
The flaw would enable attackers to change the content material of inline-signed messages whereas nonetheless producing a consequence that signifies the signature is legitimate.
In circumstances involving each signed and encrypted messages, an attacker with entry to a professional signature might encrypt a special message of their selecting and have it seem authenticated.
