Security flaw could expose your encrypted emails, researchers warn

Isaac Cain
May 15, 2018

The attack, as explained by The Verge, allows "bad actors inject malicious code into intercepted emails, despite encryption protocols created to protect against code injection".

The critical flaw found in the two allows hackers to pull plaintext from encrypted emails.

It is, for example, not enough to deter attacks by "nation state actors, large-scale breaches of email servers, revealing millions of email messages, or attackers compromising email accounts", they explain. The flaw, named EFAIL, reportedly affects both sent and received messages, including past correspondence.

"There are now no reliable fixes for the vulnerability", lead researcher Sebastian Schinzel, professor of applied cryptography at the Muenster University of Applied Sciences, said yesterday.

Earlier on Monday, the researchers issued an advisory recommending PGP and S/MIME users disable the encryption in their e-mail clients but had planned to wait until Tuesday to provide technical details of the vulnerabilities.

The security flaws that have been discovered could potentially leak the contents of the encrypted messages you send and receive via email when signed with PGP or S/MIME encryption methods. Headlines claiming "PGP is vulnerable" are inaccurate, the email service added. Start by removing your S/MIME and PGP private keys from your email client... The first is a "direct exfiltration" attack that relies on clients such as Apple Mail, iOS Mail, and Mozilla Thunderbird rendering encrypted email as HTML.

More news: 'Killer' US diplomat Col Joseph flees home

"The EFAIL attacks abuse active content, mostly in the form of HTML images, styles, etc", the researchers - Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk - wrote.

Yes, there's an email encryption vulnerability;...

Lingering software flaws that have existed in popular email clients can be exploited under certain conditions to access email content even when they're protected by PGP or S/MIME standards, according to new research. "If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now".

The attack works by exploiting how email clients read HTML code, researchers said.

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.

The Electronic Frontier Foundation, on the other hand, is urging users to disable or uninstall PGP email plugins until the EFail threat is more widely understood. "In 2018, businesses must re-evaluate how they communicate, opting to phase out email for secure communications solutions that are open-source, independently audited and end-to-end encrypted".

Other reports by LeisureTravelAid

Discuss This Article