The security flaw was discovered when researchers at Counterpane Internet Security and Columbia University found a way to modify e-mail messages encrypted by PGP without having to decrypt them. The ‘attacks’ were tested on PGP 2.6.2 and GnuPG.
It appears that the flaw allows potential attackers to intercept an e-mail, apply an algorithm to “repackage” the message and then pass it along to the intended recipient with the interceptor’s address in the reply line.
The text of the modified message would appear as gibberish, possibly prompting the recipient to request a re-send. If the recipient includes the original text in the request, the interceptor may be able to determine the original message.
This could happen easily, since most users configure their software to automatically include the original text of an e-mail in re-sent requests.
According to the researchers, the flaw is difficult to exploit, and users may largely prevent attacks by compressing data before encryption (compression is turned on by default).
However, they claimed that implementations precisely adhering to Open PGP standard would still be vulnerable. This is because the standard does not explicitly require integrity checks of messages and the implementation of compression is optional.
At the same time, a San Francisco-based independent security researcher claimed that Microsoft Internet Explorer fails to check the validity of digital certificates and exposes on-line shoppers to interceptions of their personal data. Microsoft said that it is not dismissing the report, but it pointed out that the report is based on only a “preliminary investigation.”