Researchers reveal critical PGP and S/MIME bugs that could expose encrypted emails in plain text

A team of European security researchers have discovered a serious vulnerability that could reveal the contents of messages encrypted using the PGP and S/MIME email encryption standards in plain text. The Electronic Frontier Foundation confirmed the flaws and issued an advisory saying these vulnerabilities "post an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages."

Researcher Sebastian Schinzel, professor of computer security at the Münster University of Applied Sciences, detailed the attack dubbed EFAIL in a paper published Tuesday.

In this attack, the threat actor first gains access to the end-to-end encryption email message by intercepting in transit or stealing it from a compromised email account, email server, backup system or client computer. The attacker then embeds previously obtained ciphertext into unviewable parts of the email and combines it with HTML coding. The attacker then sends the changed email to the targeted victim after which the victim's email client then decrypts the email and loads any external content, essentially exfiltrating the plaintext to the attacker.

Researchers said this method could be used to decrypt older emails as well. Their proof of concept exploit shows to be successful against 25 out of 35 tested S/MIME, and 10 out of 28 OpenPGP email clients. The flaws affect several versions of Outlook, Apple Mail and Thunderbird.

The EFF has recommended users to immediately disable or uninstall plugins or tools that automatically decrypt PGP-encrypted email.

"Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email," the EFF said.

The foundation has also created guides on temporarily disabling PGP in Outlook using Gpg4win, Apple Mail with GPGTools and Thunderbird with Enigmail.

“These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community,” the EFF blog said. “We will release more detailed explanation and analysis when more information is publicly available.”

Blocking all backchannel access including those not based on HTML, allows users to block all network requests. Users can also switch to alternative methods of secure communication or disable decryption in email clients during this period of uncertainty. This can be a short-term mitigation as this does not fix the vulnerability in the S/MIME and OpenPGP standards.

According to researchers, there are no reliable fixes for the vulnerability for now. The S/MIME and OpenPGP standards need to be updated to prevent EFAIL attacks.

Ryan Sipes, community manager for the developer group that maintains Thunderbird, told Ars Technica: "A patch that addresses the last known exploit vector has been submitted, and is currently in review and being tested. We expect to see this land in an update to our users before the end of the week."