PGP, S/MIME Encrypted Emails Can Be Revealed by Client Vulnerabilities, Researchers Say


On Tuesday, a team of researchers are planning to release details of a critical vulnerability which they claim could have serious consequences for internet users who use PGP/GPG to encrypt and decrypt their sensitive email communications.

The researchers meant to hold off on full publication until Tuesday, May 15, though the white paper was published earlier due to the embargo being broken. This attack relies on a three-part message being sent. Furthermore, separate guides have been provided to disable PGP plugins in Thunderbird, Apple Mail, and Outlook. The digital privacy watchdog also suggested the use of alternatives, such as Signal, for the time being as the implications of the vulnerabilities described in the paper are better understood, and hopefully mitigated, by the cybersecurity community. "In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation", the expert said. The reason is that a team of European researchers has found critical flaws in the encryption standards and now there are no fixes available.

So clients like Apple Mail, iOS Mail and Mozilla Thunderbird would view the emails as HTML instead of an encrypted message, and display it as one plaintext email instead of three hashed messages.

S/MIME is relatively commonplace in enterprise email networks, making this vulnerability particularly concerning.

More news: Sonam Kapoor and Anand Ahuja share adorable pictures from their wedding album
More news: Gmail 'Smart Compose' feature is live, here's how to use it
More news: Xerox terminates merger agreement with Fujifilm

The EFAIL vulnerabilities, which now have no software patch, "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", according to researchers. The Efail attacks rely on external communication and if a user is decrypting emails in a standalone application, the risks are somewhat muted.

In the first exploit, hackers can "exfiltrate" emails in plaintext by exploiting a weakness inherent in Hypertext Markup Language (HTML), which is used in web design and in formatting emails.

"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email". Then the emails are changed in a particular way and sent to a victim. The attacker would have to have access to the encrypted emails to begin with, meaning that the victim's account would need to be compromised as a starting point.

To exploit the weakness, a hacker would need to have access to an email server or the mailbox of a recipient.