Lingering software flaws that have existed in popular email clients can be exploited under certain conditions to access email content even when they’re protected by PGP or S/MIME standards, according to new research.
The research, dubbed “efail,” explains how it’s possible to exploit buggy email platforms, particularly in the way PGP is integrated into the platform. It does not show how to “break” the actual encryption protocol supporting PGP, short for “pretty good privacy.”
Sebastian Schnitzel, who co-authored the research, urged people to disable PGP or S/MIME in their email client until a fix can be issued.
There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: https://t.co/zJh2YHhE5q #efail 2/4
— Sebastian Schinzel (@seecurity) May 14, 2018
The research is focused on how popular HTML-based email platforms — like Mozilla’s Thunderbird, Apple’s Mail, and Microsoft Outlook — continue to mishandle specific, internal configurations within email. In practice, an attacker could leverage these issues to redirect components of an encrypted message decrypted by the email client towards their own server, revealing the actual plaintext behind the targeted e-mail.
Researchers were careful to state Monday that an attacker has to already have access to a person’s email account in order for the exploit to work.
On a website dedicated to the flaw, researchers laid out how attacks would be carried out inside email clients through various code loopholes.
In the short term, researchers call for users to disable HTML rendering and avoid decrypting emails in an email client. However, they also call for an updated to OpenPGP and S/MIME standards, so the vulnerabilities can be closed.