There's a vulnerability in common forms of email encryption

There's a vulnerability in common forms of email encryption

Security researchers have gone public with vulnerabilities in some secure mail apps that can be exploited by miscreants to decrypt intercepted PGP-encrypted messages.

One of the researchers, Sebastian Schinzel, who runs the IT security lab at the Münster University of Applied Sciences, tweeted: "There are now no reliable fixes for the vulnerability".

Unlike PGP, S/MIME (Secure/Multipurpose Internet Mail Extensions) is an email-only encryption program. The Professor recommended that all users immediately delete from their devices this software so that hackers are unable to read their correspondence.

The group of researchers plan to publish their research paper with details about the vulnerability on Tuesday.

Additional information about the vulnerability is available on the website the researchers created. Because a full block of plaintext-the researchers cite S/MIME emails starting with "Content-type: multipart/signed" as one-is known to the attacker, this allows the attacker to "repeatedly [append] CBC gadgets to inject an image tag into the encrypted plaintext".

More details to come.

More news: Karnataka elections 2018 over, daily revision of fuel prices returns
More news: In Catalonia elected successor Pokdemon
More news: Al-Sadr's Sairoon bloc sweeps Iraq polls

Direct Exfiltration affects Apple's macOS and iOS Mail clients, as well as Mozilla's Thunderbird, enabling an attacker to send an email that automatically decodes and shares a victim's encrypted message content in a reply.

Schinzel also urged users via Twitter to visit the blog posts by the EFF, which includes detailed step-by-step guides on how to disable PGP in Outlook, Apple Mail, and Thunderbird. But the authors state that they have "disclosed the vulnerabilities to all affected email vendors, and to national CERTs and our findings were confirmed by these bodies". (Both protocols are used to secure end-to-end encrypted emails.) They dubbed the vulnerability "EFAIL" because it effectively breaks these emails' protections.

Keith Lee, the founder of a LawyerSmack, an online legal community, says: "The most [lawyers] are doing is using GSuite or some equivalent and relying on that in transit encryption, but are rarely (if ever) actually encrypting the text/content of emails". "In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation", the expert said.

For the time being, there's no fix so your best bet would be to remove these encryption standards from their email communications.

PGP has in the past been endorsed, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the US National Security Agency before fleeing to Russian Federation. Hacker House cofounder and Brit infosec pro Matthew Hickey told The Register while we're unlikely to see widespread abuse of EFAIL, the potential for targeted attacks against journalists, corporations, activists, and academics makes it worth taking seriously.

Related Articles

  • When can I legally bet on sports?

    When can I legally bet on sports?

    He lives in Oklahoma and flies to Vegas to legally place bets on sporting events for clients. It is a big decision, as a lot of the sports betting was already going on under the table.
    Controversial pro-Trump pastor offers blessing at Jerusalem embassy opening

    Controversial pro-Trump pastor offers blessing at Jerusalem embassy opening

    He made it clear he was going to preach what he believes the Bible says. "Jerusalem is the epicenter of Christianity", Hagee said. He brought up comments Jeffress made about other religions in the past and said it made him a poor choice for the occasion.
    Four More Murder Counts Filed Against Suspected Golden State Killer Joseph DeAngelo

    Four More Murder Counts Filed Against Suspected Golden State Killer Joseph DeAngelo

    With the filing of the charges, DeAngelo is now charged with all 12 of the killings attributed to the Golden State Killer. DeAngelo, who has adult children, was a police officer in Exeter in central California from 1973 to 1976, officials said.
  • Former Man. City coach Mancini takes over as Italy Manager

    Former Man. City coach Mancini takes over as Italy Manager

    He never became a regular with Italy during his 10-year worldwide career, during which he won 36 caps and scored four goals. Roberto Mancini has been named the new manager of Italy a day after he left his post at Russian club Zenit St Petersburg .
    Deadpool was great. Deadpool 2 is better still

    Deadpool was great. Deadpool 2 is better still

    Going rogue on the X-Men lands Deadpool in a prison for mutants with Russell and that's when the movie really takes off. Before he left, the actor thanked the crowd and the show for having him, saying: 'This was such a thrill.
    MP Board Result 2018: Class 12th Result Announced Today

    MP Board Result 2018: Class 12th Result Announced Today

    The Madhya Pradesh Board for Secondary Education (MPBSE) will announce the results of Class 10 & 12 board examinations on May 14. Meanwhile, the pass percentage for girls was recorded at 51.43 per cent and for boys it was recorded at 48.53 per cent.
  • Apple sued for selling Macbooks with defective keyboards

    Apple sued for selling Macbooks with defective keyboards

    Apple claims that the butterfly mechanism is created to make smoother and more responsive keystrokes than the usual designs. Anyone with a 2015 or newer MacBook or MacBook Pro may be able to take their keyboard frustrations out on the man itself.
    Catalan secessionists poised to elect new regional leader in second vote

    Catalan secessionists poised to elect new regional leader in second vote

    He also presented himself as a stand-in for Catalonia's former leader, Carles Puigdemont , whom he called "our president". Madrid invoked special powers to take direct control of Catalonia in October after the region declared independence.
    West Brom finish bottom of Premier League

    West Brom finish bottom of Premier League

    Zaha broke the deadlock for Palace in the 70th minute and Patrick van Aanholt secured the three points shortly thereafter. Patrick van Aanholt provided the cross and Zaha was there to direct it into the back of the net from six yards out.
  • 130m-wide Lost asteroid to zoom past Earth today

    130m-wide Lost asteroid to zoom past Earth today

    The football field-sized asteroid will fly closest to our planet on May 15, at 6:05 p.m. It's about the size of the Statue of Liberty and it will be flying past Earth soon.
    Warriors Cover Steve Kerr's Bet in Game 1 Victory

    Warriors Cover Steve Kerr's Bet in Game 1 Victory

    It was an exciting, entertaining first half that featured both teams going back and forth before entering the break tied at 56-56. By the 5:24 mark, Golden State had established their largest lead of the game at eight, which was built up to as many as 13.
    Hamilton takes pole for Spanish GP with track record

    Hamilton takes pole for Spanish GP with track record

    Sebastian Vettel is concerned but not panicked after falling even further behind in the world championship battle in Spain. Daniel Ricciardo was fifth, ahead of Kevin Magnussen , Carlos Sainz , Fernando Alonso , Sergio Perez and Charles Leclerc .