eFail – Critical vulnerabilities in the PGP and S/MIME

If your mail client is configured to load external resources automatically, attackers can abuse this behaviour to steal your messages

PGP, or Pretty Good Privacy, is an open source end-to-end encryption standard used to encrypt emails.

S/MIME, or Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed and encrypted emails.

A team of security researchers has released a warning about a set of critical vulnerabilities discovered in PGP and S/Mime encryption tools, that could reveal your encrypted emails in plaintext. The vulnerabilities also impact encrypted emails you sent in the past.

The full details will be published in a paper on Tuesday 15.05.2018. The paper includes a proof-of-concept exploit that can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim.

The paper describes a series of vulnerabilities that all have in common their ability to expose email contents to an attacker when the target opens a maliciously crafted email sent to them by the attacker. In these attacks, the attacker has obtained a copy of an encrypted message but was unable to decrypt it.

The first attack is a “direct exfiltration” attack that is caused by the details of how mail clients choose to display HTML to the user. 

The second attack abuses the specification of certain details in the OpenPGP standard to exfiltrate email contents to the attacker by modifying a previously captured ciphertext.

Exfiltration channels for various email clients for S/MIME, PGP SEIP

with stripped MDC (-MDC), PGP SEIP with wrong MDC (+MDC), and PGP SE packets.

There is no mitigation for these issue at the moment.

Email clients are usually configured to automatically decrypt the content of encrypted emails you receive, but if your client is also configured to load external resources automatically, attackers can abuse this behaviour to steal messages in plaintext just by sending you a modified version of the same encrypted email content.

Users can switch to a good email client that always shows a warning when the integrity of the emails is compromised and doesn't render HTML emails by default to prevent loading of external resources automatically.

It’s possible to fix the specific exploits that allow messages to be exfiltrated: namely, do better than the standard says by not rendering messages if their integrity checks don’t check out.

Updating the protocol and patching vulnerable software applications would address this specific issue, but it will take some time.

EFF has warned users to immediately disable if they have installed any of the following mentioned plugins/tools for managing encrypted emails:

  • Thunderbird with Enigmail

  • Apple Mail with GPGTools

  • Outlook with Gpg4win



Security & Privacy

University Papers Still for Sale in 2019?
The Issue of selling Univiersity Papers continues to Rumble on
26 January 2019

Identity Protection

Most websites leak the presence of user accounts
How this puts users at risk and how to fix it
01 November 2018

Tips & Advice

Don’t Get Locked Out of Your User Accounts
Some account security and recovery best practices
22 October 2018