Harvesting PGP secret keys from poorly secured Thunderbird instance

Oct 22, 2024 by Arnaud Stoz | 273 views

Pentesting Teaching

https://cylab.be/blog/367/harvesting-pgp-secret-keys-from-poorly-secured-thunderbird-instance

If you’re privacy-conscious (which is great!) and have set up Thunderbird to use PGP for signing and encrypting your emails, you’ve likely taken important steps to ensure that no third party, including your email provider, can access your private communications. You probably followed an online tutorial to get it set up—but have you enabled a primary password?

If you have, this blog will explain exactly what you’re protecting against. If you’re unsure what a master password is or haven’t set one up yet, you’re in the right place. By the end of this post, you’ll likely want to add that extra layer of security to your Thunderbird setup.

How password are managed by Thunderbird

Have you ever wondered how it’s possible that you don’t have to type your login credentials every time you open Thunderbird? Or how you only need to unlock your PGP password once, and then never have to enter it again when signing emails? How does this “magic” work?

I won’t go into too many details, as this topic has already been covered extensively in other articles, such as this one (in french) or this one.

As these two articles have already covered the password aspect, let’s shift our focus to the PGP side. When you import your PGP keys, you’re prompted to enter your password. However, Thunderbird does not store this password (thankfully).

Behind the scenes, Thunderbird follows three stages:

  1. It changes your PGP master password to a random one and stores it in the secring.gpg file.
  2. This new password is then encrypted and saved in a file called encrypted-openpgp-passphrase.txt.
  3. Finally, the encryption key is stored in a SQL file named key4.db

Here’s a visual representation of what’s happening behind the scenes. This diagram is intentionally simplified, as you can find more detailed explanations in the two articles mentioned earlier.

ThunderBird-PGPsecret-management.drawio.png

As you can see from the diagram, if someone gains access to the encryption key stored in the key4.db file, they could decrypt everything and steal your PGP keys !

And here’s the catch: the key4.db is not encrypted if you haven’t set a master password in thunderbird ! This means anyone with access to your computer could export and steal your PGP keys, along with your email passwords

Steal PGP credentials

However, it’s not as simple as just opening the file to retrieve the encryption key. Fortunately, some people has already worked on this and developed efficient tools, such as firepwd.

Once again, for a deeper understanding of what’s happening, I recommend reviewing the two articles mentioned earlier.

Firepwd enables users to extract their account credentials but does not address PGP keys. However, adding this functionality isn’t difficult, since the encryption key is encrypted in the same way as the account passwords.

The modified Firepwd can be found here. This enhanced version will only print the value of the PGP password, you will have to export the key manually by yourself.

Just run python3 firepwd.py -d $HOME/.thunderbird/$THUNDERBIRD_PROFILE_FOLDERS The output should look similar to this:

....
Decrypting openpgp-passphrase.txt
PGP Password : b'REDACTED'

Your PGP password is the redacted part. You can now use it to steal PGP private key by using gpg and entering the password when prompted.

How to mitigate

The most efficient way to mitigate this attack vector is to set up a primary password in thunderbird. While this approach may be a bit tedious—requiring you to enter the password for each new session of Thunderbird—it mitigates the attack as the primary password is used to encrypt key4.db. Without prior knowledge of the primary password and attacker cannot access your password and keys.

On another note, a good practice is to avoid importing your PGP master key into Thunderbird. By doing this, if your keys are compromised, you can simply revoke them without putting your master key at risk. This approach allows you to regenerate keys without losing the trust you’ve built.

Note that this solution does not mitigate the issue, it just minimize the impact of a compromise.

Conclusion

It is really easy to steal credentials or PGP keys from an unprotected thunderbird instance. However, the choice of setting up a primary password (even if always the best solution) should be taken according to your threat model.

This blog post is licensed under CC BY-SA 4.0

This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept