Published: Wed, May 16, 2018
Tech | By Dwayne Harmon

Critical vulnerabilities in PGP/GPG and S/MIME email encryption, warn researchers

Critical vulnerabilities in PGP/GPG and S/MIME email encryption, warn researchers

"EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages". S/MIME is an alternative standard for email end-to-end encryption that is typically used to secure corporate email communication.

Users of PGP email encryption have been warned to stop using the software immediately because a newly discovered security flaw may make it possible to read encrypted messages. The researchers explain that there are two main types: Direct exfiltration attacks (which target weak points in Apple Mail, iOS Mail and Mozilla Thunderbird) and CBC/CFB gadget attacks.

Furthermore, in order to exploit the Efail vulnerability, attackers would need to capture emails and send them to the original recipient for decryption, the researchers said.

The hacks: These essentially work by inserting manipulated text into an email that's been intercepted by hackers, and then sending it on to the unsuspecting recipient.

On a website dedicated to the flaw, researchers laid out how attacks would be carried out inside email clients through various code loopholes. The problem resides in how email clients use these plug-ins to decrypt HTML-based emails.

He argued it wasn't really a vulnerability in the OpenPGP system but rather in email programs that had been designed without appropriate safeguards. The attacker then injects image tags into the encrypted plaintext, creating a single encrypted body part. On the other hand, S/MIME is used mainly in enterprise infrastructure. The encryption standard was developed in 1991 and means "Pretty Good Privacy".

American organization for the protection of civil rights EFF has confirmed this information and also recommended to disable or uninstall the software to fix the vulnerability.

"Use offline tools to decrpt PGP messages you have received in the past", the group said.

The flaws, some of which have existed for more than a decade, are part of a series of vulnerabilities dubbed Efail described by a team of European researchers.

Schinzel also urged users via Twitter to visit the blog posts by the EFF, which includes detailed step-by-step guides on how to disable PGP in Outlook, Apple Mail, and Thunderbird.

Indeed, El Reg recommends opening PGP-encrypted emails in a text editor on a secured virtual machine, host, or container, depending on your level of paranoia, rather than allow encrypted HTML messages to be parsed and rendered.

In the US, the Electronic Frontier Foundation, which has relied on PGP extensively to secure its own email communications, recommended that users uninstall or disable their PGP email plug-in, citing the severity of the vulnerabilities.

Like this: