'Efail' exploit can expose old email content that was previously encrypted

Adjust Comment Print

Prior to the leak, Schnizel stated that there were "no reliable fixes", and recommended that affected users disable breached encryption software.

A security flaw with email encryption appears to have left a small opening for hackers to read your private messages.

Unfixed bugs in widely used e-mail programs make it possible for attackers to obtain the plaintext of messages that are encrypted using the PGP and S/MIME standards, researchers said early Monday morning.

"In a nutshell, eFail abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs", the paper said.

EFF also advises users to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted emails, and switch to safer tools until the issue is resolved.

An attacker could gain access to encrypted emails by monitoring network traffic, compromising email servers or the computers of users, or gaining access to backup servers. It's this variety that attackers use to ambush users of OpenPGP and S/Mime by sending a slightly modified S/Mime email to the victim's address.

Indeed, El Reg recommends opening PGP-encrypted emails in a text editor on a secured virtual machine, host, or container, depending on your level of paranoia, rather than allow encrypted HTML messages to be parsed and rendered.

Man Utd secure second place with point
Manchester United head to the London Stadium aiming to put behind them the disappointment of last Friday's loss to Brighton.

"It's a lot of steps for sure, and one that honestly is more hypothetical than is it is unsafe", Dave Kennedy, the chief executive at security company TrustedSec, said. The attack, as explained by The Verge, allows "bad actors inject malicious code into intercepted emails, despite encryption protocols created to protect against code injection".

"[The researchers] figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails".

The Electronic Frontier Foundation (EFF) has passed on the warning issued by a group of European security researchers after they found a set of vulnerabilities in PGP and S/MIME.

In 2017, the ABA Standing Committee on Ethics and Professional Responsibility released Formal Opinion 477 on "Securing Communication of Protected Client Information".

The second method is called the "CBC/CFB Gadget Attack", which resides within the PGP and S/MIME specifications, affecting all email clients.

Sebastian Schinzel, lead of the IT security lab at the Münster University of Applied Sciences, said the paper would be published ahead of a scheduled date later this week after the embargo was broken.

Some experts, however, questioned the EFF's recommendation. They do note, however, that disabling HTML rendering won't completely stop EFAIL attacks.