Email encryption flaws can expose Apple Mail, Outlook, and Thunderbird messages

Email encryption flaws can expose Apple Mail, Outlook, and Thunderbird messages

Email encryption flaws can expose Apple Mail, Outlook, and Thunderbird messages

Sebastian Schinzel, the lead researcher on Efail and a professor of computer security at Münster University of Applied Sciences, said on Twitter that there were "currently no reliable fixes for the vulnerability".

In the short term, the researchers and the Electronic Frontier Foundation (EFF) recommend users disable PGP plugins and use non-email based messaging platforms to decrypt messages until a long-term solution is developed.

After changing an encrypted email in a particular way, attackers will send this modified encrypted email to the victim.

This attack exploits vulnerabilities in the way that popular clients such as Apple Mail, iOS Mail and Mozilla Thunderbird implement encryption. The attacker would have to have access to the encrypted emails to begin with, meaning that the victim's account would need to be compromised as a starting point.

Pretty Good Privacy (PGP) is an encryption tool used to sign emails, documents, directories, and even full hard disks.


A group of nine researchers has discovered a critical vulnerability in the systems end-to-end email encryption using OpenPGP and S/MIME.

"The first attack is a "direct exfiltration" attack that is caused by the details of how mail clients choose to display HTML to the user".

He said attacks exploiting the vulnerabilities can be mitigated if users eschew HTML emails, or at least if they read them using a "proper MIME parser and disallow any access to external links".

"EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs". The researchers say new and archived emails are vulnerable to attack. EFF, the world's biggest digital rights group, which has seen the details, says that such a vulnerability is an "immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages". It does not encrypt metadata and is very far from easy to use, but it is nevertheless widely regarded as by far the safest way to send secure emails.

According to a tweet from Schinzel, the vulnerabilities "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past". There are other methods that could be used to attack the information, but these backchannels are more hard to exploit. "In 2018, businesses must re-evaluate how they communicate, opting to phase out email for secure communications solutions that are open-source, independently audited and end-to-end encrypted".

Related news



[an error occurred while processing the directive]