There's a vulnerability in common forms of email encryption

There's a vulnerability in common forms of email encryption

Security researchers have gone public with vulnerabilities in some secure mail apps that can be exploited by miscreants to decrypt intercepted PGP-encrypted messages.

One of the researchers, Sebastian Schinzel, who runs the IT security lab at the Münster University of Applied Sciences, tweeted: "There are now no reliable fixes for the vulnerability".

Unlike PGP, S/MIME (Secure/Multipurpose Internet Mail Extensions) is an email-only encryption program. The Professor recommended that all users immediately delete from their devices this software so that hackers are unable to read their correspondence.

The group of researchers plan to publish their research paper with details about the vulnerability on Tuesday.

Additional information about the vulnerability is available on the website the researchers created. Because a full block of plaintext-the researchers cite S/MIME emails starting with "Content-type: multipart/signed" as one-is known to the attacker, this allows the attacker to "repeatedly [append] CBC gadgets to inject an image tag into the encrypted plaintext".

More details to come.

More news: When can I legally bet on sports?
More news: 130m-wide Lost asteroid to zoom past Earth today
More news: Diamond League: Reece Prescod upstages Justin Gatlin to win 100m in Shanghai

Direct Exfiltration affects Apple's macOS and iOS Mail clients, as well as Mozilla's Thunderbird, enabling an attacker to send an email that automatically decodes and shares a victim's encrypted message content in a reply.

Schinzel also urged users via Twitter to visit the blog posts by the EFF, which includes detailed step-by-step guides on how to disable PGP in Outlook, Apple Mail, and Thunderbird. But the authors state that they have "disclosed the vulnerabilities to all affected email vendors, and to national CERTs and our findings were confirmed by these bodies". (Both protocols are used to secure end-to-end encrypted emails.) They dubbed the vulnerability "EFAIL" because it effectively breaks these emails' protections.

Keith Lee, the founder of a LawyerSmack, an online legal community, says: "The most [lawyers] are doing is using GSuite or some equivalent and relying on that in transit encryption, but are rarely (if ever) actually encrypting the text/content of emails". "In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation", the expert said.

For the time being, there's no fix so your best bet would be to remove these encryption standards from their email communications.

PGP has in the past been endorsed, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the US National Security Agency before fleeing to Russian Federation. Hacker House cofounder and Brit infosec pro Matthew Hickey told The Register while we're unlikely to see widespread abuse of EFAIL, the potential for targeted attacks against journalists, corporations, activists, and academics makes it worth taking seriously.

Related Articles

  • Dharmendra Pradhan: UAE First To Invest In India's First Crude Oil Cargo

    Dharmendra Pradhan: UAE First To Invest In India's First Crude Oil Cargo

    It also renewed and extended concessions at onshore oilfields for major companies including Exxonmobil and Total. Dr Al Jaber said the company was looking for partners to develop its plans in Ruwais.
    Catalan secessionists poised to elect new regional leader in second vote

    Catalan secessionists poised to elect new regional leader in second vote

    He also presented himself as a stand-in for Catalonia's former leader, Carles Puigdemont , whom he called "our president". Madrid invoked special powers to take direct control of Catalonia in October after the region declared independence.
    Al-Sadr's Sairoon bloc sweeps Iraq polls

    Al-Sadr's Sairoon bloc sweeps Iraq polls

    The sources added that Suri was "in charge of recruiting attackers and dispatching them to Iraq to carry out bomb attacks there". It is also possible for al-Sadr and al-Abadi to join forces which could result in al-Abadi being named prime minister again.
  • Warriors Cover Steve Kerr's Bet in Game 1 Victory

    Warriors Cover Steve Kerr's Bet in Game 1 Victory

    It was an exciting, entertaining first half that featured both teams going back and forth before entering the break tied at 56-56. By the 5:24 mark, Golden State had established their largest lead of the game at eight, which was built up to as many as 13.
    Karnataka elections 2018 over, daily revision of fuel prices returns

    Karnataka elections 2018 over, daily revision of fuel prices returns

    As the people of Karnataka voted for a new government on Saturday, the petrol and diesel prices started mounting up on Monday . Under the dynamic pricing scheme, petrol and diesel prices are revised on a daily basis in sync with global crude oil prices.
    Deadpool was great. Deadpool 2 is better still

    Deadpool was great. Deadpool 2 is better still

    Going rogue on the X-Men lands Deadpool in a prison for mutants with Russell and that's when the movie really takes off. Before he left, the actor thanked the crowd and the show for having him, saying: 'This was such a thrill.
  • 82 women walk the red carpet in Cannes film fest protest

    82 women walk the red carpet in Cannes film fest protest

    As women, we all face the typical problems, but today we stand together on this ladder and symbolize determination and progress. The other two - Nadine Labaki's " Capernaum ", and Alice Rohrwacher's " Happy as Lazzaro " - are to premiere next week.
    In Catalonia elected successor Pokdemon

    In Catalonia elected successor Pokdemon

    In that election, on December 21, the region's pro-independence bloc won an absolute majority in the parliament. Four representatives of the pro-independence Popular Unity Candidacy abstained.
    MP Board Result 2018: Class 12th Result Announced Today

    MP Board Result 2018: Class 12th Result Announced Today

    The Madhya Pradesh Board for Secondary Education (MPBSE) will announce the results of Class 10 & 12 board examinations on May 14. Meanwhile, the pass percentage for girls was recorded at 51.43 per cent and for boys it was recorded at 48.53 per cent.
  • Controversial pro-Trump pastor offers blessing at Jerusalem embassy opening

    Controversial pro-Trump pastor offers blessing at Jerusalem embassy opening

    He made it clear he was going to preach what he believes the Bible says. "Jerusalem is the epicenter of Christianity", Hagee said. He brought up comments Jeffress made about other religions in the past and said it made him a poor choice for the occasion.
    West Brom finish bottom of Premier League

    West Brom finish bottom of Premier League

    Zaha broke the deadlock for Palace in the 70th minute and Patrick van Aanholt secured the three points shortly thereafter. Patrick van Aanholt provided the cross and Zaha was there to direct it into the back of the net from six yards out.
    Pakistani terrorists carried out 26/11 Mumbai attacks, admits former PM Nawaz Sharif

    Pakistani terrorists carried out 26/11 Mumbai attacks, admits former PM Nawaz Sharif

    The case is now being tried at an anti-terrorism court, and the interview may give some substance to India's claims in the matter. Union Minority Affairs Minister Mukhtar Abbas Naqvi told ANI, "Pakistan is exclusively responsible for 26/11 terrorist attack".