1. Forum
  2. tqwNet
  3. TQW GENTECH

  • An OpenPGP.js flaw just broke public key cryptography

    From TechnologyDaily@1337:1/100 to All on Wednesday, May 21, 2025 15:00:08
    An OpenPGP.js flaw just broke public key cryptography

    Date:
    Wed, 21 May 2025 14:00:00 +0000

    Description:
    Researchers found a bug that allowed malicious actors to spoof messages.
    Users are advised to patch up.

    FULL STORY ======================================================================There
    is a way to verify fake messages as if they were legitimate The bug affects multiple versions of OpenPGP.js A patch is available

    A security flaw in the JavaScript implementation of OpenPGP.js allows threat actors to verify fake messages as if they were legitimate, essentially breaking public key cryptography. This is according to security researchers Edoardo Geraci and Thomas Rinsma of Codean Labs, who found and recently reported the vulnerability.

    OpenPGP.js is an open-source JavaScript library that allows developers to encrypt , decrypt, sign, and verify messages using the OpenPGP standard. Normally, when a user signs a message digitally, it makes sure the content wasnt tampered.

    But in this case, the vulnerability lets the threat actor change the message content, while still making it seem as if it had a valid signature.

    60% off for Techradar readers

    With Aura's parental control software, you can filter, block, and monitor websites and apps, set screen time limits. Parents will also receive breach alerts, Dark Web monitoring, VPN protection, and antivirus.

    Preferred partner ( What does this mean? ) View Deal Applying the patch

    In theory, the vulnerability could be used for fake payment authorization, among other things. If a company used OpenPGP.js to verify digitally signed payment requests from its clients, an attacker could obtain a valid signed request, modify the payment details, and send it back, effectively stealing the money.

    Versions 5.0.1 to 5.12.2, and 6.0.0-alpha.0 to 6.1.0 of OpenPGP.js were said to be vulnerable, with the issue being patched in versions 5.11.3 and 6.1.1. Version 4 is safe, it was added.

    Those who cannot apply the patch immediately should at least apply the workaround. Users can check signatures separately instead of just trusting
    the systems verification, or decrypt messages in two steps to make sure the data is not tampered with.

    The bug is now tracked as CVE-2025-47934 and has a severity score of 8.7/10 (high). There is currently no confirmed evidence of abuse in the wild. A proof-of-concept (PoC) and detailed analysis of the vulnerability is coming soon, the maintainers said, likely to give users enough time to apply the patch.

    Via The Register You might also like Javascript files loaded with RATs hits thousands of victims Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/an-openpgp-js-flaw-just-broke-public-ke y-cryptography


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)