'Efail' exploit can expose old email content that was previously encrypted

Share

Email Vulnerable: The internet's two most popular forms of encryption over the net - PGP and S/MIME-vulnerable to hacks that can reveal the plaintext of encrypted emails and messages, according to researcher Sebastian Schinzel, a professor of computer security with Münster University of Applied Sciences. Unfortunately, guarding messages from an attacker with full access to your data is one of the primary use cases for both encryption formats.

EFAIL works by targeting "active content" of HTML emails - namely loaded images or styles - to exfiltrate plaintext through requested URLs.

The attacker creates a new multipart email message and prepares it in a special way.

Cluley also highlighted that because Efail attacks rely on past encrypted emails being sent to the target, it is a visible and obvious attack method that could be easily identified using a script that scans incoming email for malformed IMG tags.

"There are now no reliable fixes for the vulnerability", lead researcher Sebastian Schinzel, professor of applied cryptography at the Muenster University of Applied Sciences, said yesterday.

More news: Mike D'Antoni: Rockets are 'obviously the underdog' against Warriors

Security experts from Europe are warning users who encrypt their email with PGP and S/MIME, saying they are no longer safe to use. You can also disable HTML rendering in your email messages. The PGP CFB gadget attack was assigned CVE-2017-17688, while the S/MIME CBC vulnerability was given CVE-2017-17689.

PGP is often used to encrypt messages in popular email programs such as Outlook, Apple Mail, Thunderbird, and Enigmail. Within hours, the researchers published the paper, which is titled Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels.

Academics from the Electronic Frontier Foundation have discovered critical vulnerabilities in two email encryption protocols.

In fact, users are being advised to stop using and disable the encryption tools immediately in their email client if they use them for sensitive communications. In particular, he's recommended temporarily disabling PGP/GPG in Outlook, Apple Mail and Thunderbird. Instead, the flaw is in various email programs that failed to check for "decryption errors properly before following links in emails that included HTML code".

In the future, patches should prevent this PGP flaw from being exploited. "In 2018, businesses must re-evaluate how they communicate, opting to phase out email for secure communications solutions that are open-source, independently audited and end-to-end encrypted". The vulnerability allows hackers to read an encrypted email by making changes to its HTML, which essentially tricks the affected email applications into decrypting the rest of the message.

Share