A security flaw in the JavaScript implementation of OpenPGP.js allows threat actors to verify fake messages as if they were legitimate, essentially breaking public key cryptography.