E-mail encryption systems 'irreparably broken' - German researchers

Alonzo Simpson
May 14, 2018

According to encryption software GNU Privacy Guard (GnuPG), the problem comes from email programs that fail to check for decryption errors properly and follow links in emails that included HTML code.

He warned on Twitter that "there are now no reliable fixes for the vulnerability".

The attacker needs to first access encrypted emails, which could have been collected years ago.

Disabling PGP and S/MIME are seen as conservative stopgaps until proper mitigation can be applied more broadly. The newly found vulnerability has the potential to reveal encrypted emails in plaintext, including emails sent in the past.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim.

Exit polls is 'entertainment for the next 2 days': Siddaramaiah
The Congress leader while speaking to reporters in Chamundeshwari constituency said , "This will be my last election". Shashi Tharoor is also the chairman of the parliament committee on Indo-Pakistan relationship.

As of now, there are not many details available on the latest vulnerability, but more information is expected to be shared by the researchers soon. Obviously, the URL's domain is controlled by the attacker to achieve this; "efail.de" in this example. Researchers believe a simple patch will be able to address this issue, though it's presently quite easy to exploit.

"The Efail attacks abuse active content, mostly in the form of HTML images, styles, etc", the Efail site states.

Patching efforts from multiple vendors are now underway, but in the near term, there are multiple mitigation steps suggested by the researchers to help minimize the potential risk of exploitation via the Efail attack methods.

By comparison, the Gadget Attack affects a much wider variety of mail clients, including Microsoft's Outlook, but ranges in efficacy based on whether it's used against PGP or S/MIME encryption. A website has also been set up that advises PGP users to disable HTML renderings in emails sent via PGP as that will close the most prominent way of taking advantage of the vulnerability.

Titling the exploit "Efail", they wrote that they had found two ways in which hackers could effectively coerce an email client into sending the full plaintext of messages to the attacker. However, the researchers have confirmed the exploitable vulnerabilities only exist for email users. But the researchers cautioned that since attacks could become increasingly sophisticated in future, strategies which bolster OpenPGP and S/Mime standards are required for a long term fix. "Therefore, the standards need to be updated, which will take some time".

Other reports by

Discuss This Article