Proof of Bug with Eudora v3.x and PGP Plug-In

Standard configuration options under spellchecking allows user to toggle auto-spellcheck before queueing and sending e-mail.
The message is composed and user selects PGP sign. Passphrase challenge is presented.
Eudora invokes PGP and signs message, then initiates spellcheck. One word is changed to demonstrate.
Eudora then even attempts to "correct" the PGP signature itself!
Even long strings are not immune to this "correction."
End result: because the content of the signed message was altered by the spellchecker following original generation of the PGP signature, the message now has a "Bad Signature."

Back to Advisory