Users Reveal Bugs That Can Read Plaintext of Encrypted Personal Emails

Muriel Hammond
May 15, 2018

Whilst most email is sent unencrypted, many businesses and people rely on S/MIME and PGP encrypted email communications to talk in private. It does not show how to "break" the actual encryption protocol supporting PGP, short for "pretty good privacy".

Email users who use PGP (based on OpenPGP) and S/MIME to encrypt and decrypt their communications are at "immediate risk".

PGP is often used to encrypt messages in popular email programs such as Outlook, Apple Mail, Thunderbird, and Enigmail. EFAIL basically strips those protections and lets attackers read encrypted messages regardless of who sent them, how long ago they were sent, or how they were initially compromised.

It reports that there are two attacks, and both require attackers to first have obtained a target's ciphertext, and that the target is using an HTML email client. They've disclosed the vulnerability to the companies providing email programs, so watch out for software patches. While encrypted email keeps your messages secret, email clients see HTML content - for example, images or hyperlinks - and translate them in plain-text, even if there is encrypted content in them.

According to the ABA's 2017 Legal Technology Research Survey, 36.4 percent of responding firms and solo practitioners used some form of email encryption. Secure/Multipurpose Internet Mail Extensions (S/MIME) is an alternative end-to-end encryption standard that is used to secure corporate email communication.


Also, Robert Graham at Errata Security, examined the flaws and came away with a different take: "It only works if you've enabled your email client to automatically grab external/remote content", he said in a post. In fact, the only clients protected against S/Mime attacks are Claws Mail and Mutt whereas more clients are protected against PGP-targeting attacks.

Schinzel and his team's research has been corroborated by Electronic Frontier Foundation (EFF), and has been described in detail by the researchers in a paper published earlier today. Dubbing the series of flaws that make this attack possible as eFail, researchers said that some of these security vulnerabilities are a decade-old.

It advised users to disable the use of active content, such as HTML code and the loading of external content, and to secure their email servers against external access.

The group of researchers plan to publish their research paper with details about the vulnerability on Tuesday.

Indeed, El Reg recommends opening PGP-encrypted emails in a text editor on a secured virtual machine, host, or container, depending on your level of paranoia, rather than allow encrypted HTML messages to be parsed and rendered.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER