Mozilla Thunderbird client saved OpenPGP keys in clear text

The free email client Mozilla Thunderbird has saved some users' OpenPGP keys in plain text for the past few months. The vulnerability (CVE-2021-29956) affected Thunderbird versions 78.8.1 to 78.10.1.

Due to the vulnerability, imported OpenPGP keys were stored on users' devices without encryption. This way, a local attacker could view and copy the keys and then impersonate the original sender of the supposedly protected emails.

A few weeks ago, some users of the desktop Thunderbird email client found that when they opened the program, they could view OpenPGP-encrypted emails without entering their master passwords. In Thunderbird, such messages should only be viewable after authentication.

Key handling processes have been rewritten to ensure their security. Prior to the code rewriting, the process for handling newly imported OpenPGP keys in Thunderbird was as follows:

1. Importing a secret key into a temporary memory area;
2. Unlock the key with a user-entered password;
3. Copying the key in permanent storage;
4. Protect your key with an OpenPGP Thunderbird automatic password;
5. Save a new list of secret keys on the drive.

After rewriting, the order of action was changed, in particular the order of steps 3 and 4.

1. Importing a secret key into a temporary memory area;
2. Unlock the key with a user-entered password;
3. Protect your key with an OpenPGP Thunderbird automatic password;
4. Copying the key in permanent storage;
5. Save a new list of secret keys on the drive.