Researchers Warn Of Critical PGP And S/MIME Email Encryption Vulnerabilities

Researchers Warn Of Critical PGP And S/MIME Email Encryption Vulnerabilities

The critical vulnerability, dubbed EFAIL by Professor Sabastian Schinzel of Germany's FH Munster University of Applied Sciences, exposes encrypted emails in plaintext, even for messages sent in the past. The Professor recommended that all users immediately delete from their devices this software so that hackers are unable to read their correspondence.

When contacted by Fortune, Schinzel declined to divulge further details ahead of Tuesday's announcement, but he pointed to a blog post from the world's biggest digital rights group, the Electronic Frontier Foundation (EFF, ) for further advice. There's now no fix, researchers said.

The researchers used CBC/CFB gadgets "to enject malicious plaintext snippets into encrypted emails that abuse existing and standard conforming backchannels, for example, in in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption".

Mikko Hypponen, chief research officer at F-Secure, has called out researchers' warning that the flaws could be used to decrypt past messages.

While full details of the flaw are continuing to come to light, Süddeutsche Zeitung reports that although affected vendors have had months to patch the flaws, they've run into challenges.


Encryption can be switched on again only after "immediate risk of the exploit will not work", say representatives of the Fund. Service providers have been requested by the EFF to communicate the news to all users and request them to disable all related security plugins including Thunderbird with Enigmail, Apple mail with GPG tools, Outlook with GPG4win.

While some believe these vulnerabilities are overblown since they require the attacker to already be in a privileged position, various security experts have advised users to uninstall PGP and S/MIME until fixes are made available.

The researchers have informed email providers of their findings, under so-called responsible disclosure, and it now falls to others to establish whether the exploits can be replicated.

Another way would be to use authenticated encryption via tools such as OpenPGP, he argued. (S/MIME is more typically used to protect corporate emails, which means its use is up to the IT department, not individual workers.) We're still in the "knee-jerk reaction" phase of the response cycle.

PGP - short for Pretty Good Privacy - was invented back in 1991 by Phil Zimmermann and has always been viewed as a secure form of end-to-end encryption impossible for outsiders to access. Anyone who wants their email communication to be secure and private should take notice. Unfortunately, the newly discovered "Efail" vulnerability could make that a possibility. In cloning, hackers replicate nodes in a network, and then use it to exploit a vulnerability within that network.

Articles Liés