Disable email encryption tools immediately, say researchers who found ‘critical vulnerabilities’

In a paper published Monday, security experts outline two attacks that malicious parties could use to gain access to a target's entire inbox.


A group of security researchers has discovered “critical vulnerabilities” in the common email encryption tools PGP and S/MIME, prompting calls for users to disable email plugins until a fix is developed.

In a paper published Monday, the group outlined a proof-of-concept process for how attackers could exploit weaknesses in how email clients like Apple Mail, iOS Mail, and Mozilla Thunderbird manage HTML in messages.

“The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker,” the researchers wrote in a paper that dubs the exploits "Efail attacks".

A successful attack could theoretically grant malicious parties access to the entire contents of a target’s inbox. The Electronic Frontier Foundation provided a simplified explanation of the two attack methods:

“The first attack is a “direct exfiltration” attack that is caused by the details of how mail clients choose to display HTML to the user. The attacker crafts a message that includes the old encrypted message. The new message is constructed in such a way that the mail software displays the entire decrypted message—including the captured ciphertext—as unencrypted text. Then the email client’s HTML parser immediately sends or “exfiltrates” the decrypted message to a server that the attacker controls.

The second attack abuses the underspecification of certain details in the OpenPGP standard to exfiltrate email contents to the attacker by modifying a previously captured ciphertext.”

PGP, which stands for “pretty good protection,” and S/MIME have long been standards for end-to-end email encryption. These tools help people like journalists and whistleblowers be reasonably sure that sensitive information is readable only to sender and receiver. But today’s paper has raised debate in the cryptography community about the level of security these tools are able to provide, and what users should expect.

In the short term, the researchers and the Electronic Frontier Foundation (EFF) recommend users disable PGP plugins and use non-email based messaging platforms to decrypt messages until a long-term solution is developed.

LinkedIn meets Tinder in this mindful networking app

Swipe right to make the connections that could change your career.

Getty Images
Sponsored
Swipe right. Match. Meet over coffee or set up a call.

No, we aren't talking about Tinder. Introducing Shapr, a free app that helps people with synergistic professional goals and skill sets easily meet and collaborate.

Keep reading Show less

TESS telescope has found eight new planets, six supernovae

It has found several bizarre planets outside of our solar system.

NASA/Kim Shiflett
Surprising Science
  • The Kepler program closed down in August, 2018, after nine and a half years of observing the universe.
  • Picking up where it left off, the Transiting Exoplanet Survey Satellite (TESS) has already found eight planets, three of which scientists are very excited about, and six supernovae.
  • In many ways, TESS is already outperforming Kepler, and researchers expect it to find more than 20,000 exoplanets over its lifespan.
Keep reading Show less
Promotional photo of Lena Headey as Cersei Lannister on Game of Thrones
Surprising Science
  • It's commonly thought that the suppression of female sexuality is perpetuated by either men or women.
  • In a new study, researchers used economics games to observe how both genders treat sexually-available women.
  • The results suggests that both sexes punish female promiscuity, though for different reasons and different levels of intensity.
Keep reading Show less

Wealth inequality is literally killing us. The economy should work for everyone.

This economy has us in survival mode, stressing out our bodies and minds.

Videos
  • Economic hardship is linked to physical and psychological illness, resulting in added healthcare expenses people can't afford.
  • The gig economy – think Uber, Lyft, TaskRabbit, Handy – is marketed as a 'be your own boss' revolution, but it can be dehumanizing and dangerous; every worker is disposable.
  • The cooperative business model can help reverse wealth inequality.
Keep reading Show less