Critical flaw found in email encryption tools

Daniel Sambraus—EyeEm  Getty Images

Daniel Sambraus—EyeEm Getty Images

More details are to be published by the researchers on May 15 who recommend not using the two encryption tools until they are fixed. The security flaw allows potential hackers to use that element to expose the most popular email encryption standards, the researchers said.

"The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim", the EFF's spokesperson explained. Furthermore, separate guides have been provided to disable PGP plugins in Thunderbird, Apple Mail, and Outlook.

The other attack method likely won't be almost as straightforward to fix.

The attacker needs to first access encrypted emails, which could have been collected years ago. "This creates a single encrypted body part that exfiltrates its own plaintext when the user opens the attacker email".

The research paper details multiple approaches for using the vulnerabilities to decrypt S/MIME and OpenPGP encrypted emails. According to the researchers behind the discovery, attacks could be executed in one of two ways.

Another attack method that the researchers detailed is a relatively simple approach that exploits the interaction of HTML with S/MIME and OpenPGP. And many corporate email services employ S/MIME. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.

Alberta government displaying billboards across BC supporting Trans Mountain Pipeline
The company has threatened to pull out of the project by then if B.C., Alberta and Ottawa can not come to an agreement. MLAs agreed to an amendment by Alberta Party MLA Karen McPherson to put a two-year limit on those powers.

While some believe these vulnerabilities are overblown since they require the attacker to already be in a privileged position, various security experts have advised users to uninstall PGP and S/MIME until fixes are made available. Hopefully affected vendors have been contacted in advance, so make sure that when the inevitable product updates and mitigation patches are pushed out you install them as quickly as possible. Because the HTML rendering engine is enabled, this prompts the mail client to treat the message body as a URL, which it encodes and queries the malicious actor's server, thereby leaking the message.

More details to come.

Another short-term fix suggested by security researchers is that OpenPGP and S/MIME users decrypt emails outside of their primary email client.

Nobody knows. But we do know that end-to-end encrypted emails aren't as secure as we thought they were, and that means we'll have to continue to be careful about how we communicate.

BSI, EFF and others now advise users to disable the use of active content, such as HTML code and the loading of external content, and to secure their email servers against external access.

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.