There's a vulnerability in common forms of email encryption

There's a vulnerability in common forms of email encryption

Security researchers have gone public with vulnerabilities in some secure mail apps that can be exploited by miscreants to decrypt intercepted PGP-encrypted messages.

One of the researchers, Sebastian Schinzel, who runs the IT security lab at the Münster University of Applied Sciences, tweeted: "There are now no reliable fixes for the vulnerability".

Unlike PGP, S/MIME (Secure/Multipurpose Internet Mail Extensions) is an email-only encryption program. The Professor recommended that all users immediately delete from their devices this software so that hackers are unable to read their correspondence.

The group of researchers plan to publish their research paper with details about the vulnerability on Tuesday.

Additional information about the vulnerability is available on the website the researchers created. Because a full block of plaintext-the researchers cite S/MIME emails starting with "Content-type: multipart/signed" as one-is known to the attacker, this allows the attacker to "repeatedly [append] CBC gadgets to inject an image tag into the encrypted plaintext".

More details to come.

More news: When can I legally bet on sports?
More news: 82 women walk the red carpet in Cannes film fest protest
More news: Apple sued for selling Macbooks with defective keyboards

Direct Exfiltration affects Apple's macOS and iOS Mail clients, as well as Mozilla's Thunderbird, enabling an attacker to send an email that automatically decodes and shares a victim's encrypted message content in a reply.

Schinzel also urged users via Twitter to visit the blog posts by the EFF, which includes detailed step-by-step guides on how to disable PGP in Outlook, Apple Mail, and Thunderbird. But the authors state that they have "disclosed the vulnerabilities to all affected email vendors, and to national CERTs and our findings were confirmed by these bodies". (Both protocols are used to secure end-to-end encrypted emails.) They dubbed the vulnerability "EFAIL" because it effectively breaks these emails' protections.

Keith Lee, the founder of a LawyerSmack, an online legal community, says: "The most [lawyers] are doing is using GSuite or some equivalent and relying on that in transit encryption, but are rarely (if ever) actually encrypting the text/content of emails". "In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation", the expert said.

For the time being, there's no fix so your best bet would be to remove these encryption standards from their email communications.

PGP has in the past been endorsed, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the US National Security Agency before fleeing to Russian Federation. Hacker House cofounder and Brit infosec pro Matthew Hickey told The Register while we're unlikely to see widespread abuse of EFAIL, the potential for targeted attacks against journalists, corporations, activists, and academics makes it worth taking seriously.

Related Articles