KMail Bug Sent Encrypted Emails in Plain-Text — for 4 years

A KMail bug has inadvertently sent PGP encrypted emails in plain-text — for the past four years!

A flaw in the ‘Send it Later’ feature, introduced in Kmail 4.11, allows users to schedule the time and date that emails are sent. Unfortunately, the feature was incompatible with the client’s OpenPGP implementation. This resulted in encrypted emails queued for sending actually being sent unencrypted.

You might blame to the sender for not double-checking that the relevant encryption was actually in place, but to play user advocate, Kmail makes all the right noises that the email contents will be sent encrypted using OpenPGP.

A reader called Daniel told us about the issue via our tip-form, explaining: “Scheduled email delivery in KMail would bypass the OpenPGP encryption system without warning and send private messages unsigned and without being encrypted.

“The bug exposed the private communications of KMail users for over four years before being discovered.”

The Flaw is Now Fixed

Kmail’s unencrypted frack up was spotted by Daniel Aleksandersen, who explained more about the flaw in a post on his Ctrl Blog:

“If you combined [send it later and OpenGPG], KMail would give every indication that the email message would be signed and encrypted. However, upon scheduling it to be sent at a later time, the OpenPPG routines were bypassed – leading to the email being sent in plain-text without being signed or encrypted.

The bug would lead to unintentional information disclosure of private message contents.

The “good” news is that the flaw is patched in KDE Applications 17.04.2. If you’re not running this version (or later) of the KDE apps bundle you should try to upgrade as soon as its convenient to do so.

I’d advise anyone using mail encryption and relying on a delay or scheduled send feature in an email client or service for to double check that the remote server the message is stored does actually store the contents encrypted.