Critical Flaw Found in PGP and S/MIME Email Clients Like Apple Mail

Adjust Comment Print

The attack relies on contacting the same person that sent the encrypted email in the first place.

Security researchers have discovered and warned against vulnerabilities in PGP/GPG and S/MIME email encryption standards that could be used by malicious actors.

The researchers said that it will publish more detailed information on may 15.

In the meantime, digital privacy rights group Electronic Frontier Foundation, which has reviewed the researchers' findings, confirmed that the bugs pose a risk to anyone using PGP and S/MIME and as a "temporary, conservative stopgap" recommends disabling any email plug-ins that automatically decrypt such messages. There's now no fix, researchers said.

Cybersecurity experts in Europe have identified flaws in the popular PGP and S/MIME email encryption standards that could expose plaintext versions of encrypted messages to hackers.

"The EFAIL attacks abuse active content, mostly in the form of HTML images, styles, etc", the researchers - Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk - wrote. In contrast, mainstream email clients simply process and store your messages using plain text.

Eurovision Song Contest associated with increase in life satisfaction
The Eurovision Song Contest has completed its lineup of 26 contestants who will face off for this year's crown, following a second semifinal.

OpenPGP is an encryption standard that Internet users may use to protect sensitive data such as emails by using encryption. Service providers have been requested by the EFF to communicate the news to all users and request them to disable all related security plugins including Thunderbird with Enigmail, Apple mail with GPG tools, Outlook with GPG4win. EFF provides walk-throughs on their site to disable PGP for Apple Mail, Outlook and Thunderbird.

The researchers also noted that an attacker needs full access to the target's email account, ie: the spy has to be able to log into your inbox. In other words, they can break the security measure and reveal the private contents of users' emails. The issue seem to lie in email programs no being designed with proper safeguards, and not the PGP encryption itself, this will come as a relief to its users. "In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation", GNU Privacy Guard said on Twitter. "Having used PGP since 1993, this sounds baaad (sic)", F-Secure's Mikko Hypponenwrote in a tweet.

PGP has in the past been endorsed, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the US National Security Agency before fleeing to Russian Federation.

In separate news, the researchers have come up with a new technology that could make hacking impossible.

"This is bad because the people who use PGP use it for a reason", he told the BBC.

"You can think of it as a black box", Strukov says. While the security community react to the research and assess it, for now, Schinzel is keeping the public updated on social media.