Page MenuHome GnuPG

Gpgol 1.3.0 beta might leak plaintext if it is deactivated at the wrong time
Closed, ResolvedPublic

Description

GpgOL 1.3.0 replaces the body of a mail / decrypts attachments at runtime in the
read event. This is ok because it also catches write events and encrypts
attachments / wipes the mail body again in those events.

But in case GpgOL is deactivated through Outlook options we no longer see the
write event and so we don't wipe the mail. Leaking plaintext.

The workaround for that issue is clear "Don't deactivate GpgOL" but we can fix
this if we keep track of all Mailitems that need to be wiped and wipe them when
our Addin instance is released / deleted.

Details

Version
1.3.0-beta

Event Timeline

Fixed with: b942f73

If GpgOL is deactivated it cleans up after itself and wipes the plaintext from
mails / session encrypts attachments.
If that fails it shows a warning message.