PGP Encrypted Emails At Risk From ‘eFail’ Attacks

German researchers have warned those using a popular form of email encryption that serious flaws mean their messages could be decoded by attackers.

The two attacks, details of which were published on Monday in a research paper, affect PGP, the most popular technology for sending encrypted emails. There’s currently no fix, researchers said.

Sebastian Schinzel, lead of the IT security lab at the Münster University of Applied Sciences, said the paper would be published ahead of a scheduled date later this week after the embargo was broken. The paper credits eight German researchers, including Schninzel, with the Munster University of Applied Sciences, Ruhr University Bochum and KU Leuven.

The Suddeutsche Zeitung newspaper published details of the exploits on Monday morning.

eFail

In a website devoted to the issues, which the researchers called eFail, they said the attacks exploit problems with the OpenPGP and S/MIME standards and can expose the plaintext of encrypted emails.

More particularly, the attacks use specially crafted HTML emails that exploit bugs in the way PGP is implemented in some email programs.

“In a nutshell, eFail abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs,” they wrote.

The attacker needs to first access encrypted emails, which could have been collected years ago. Then the emails are changed in a particular way and sent to a victim.

“The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.”

No patches available

The way the attacks function means that users can protect themselves by switching off HTML in their email clients or by using an external program, rather than an email client plugin, to decrypt messages, the researchers said.

In the longer term they said patches for email client plugins and changes to OpenPGP and S/MIME could prevent any problems.

The Electronic Frontier Foundation (EFF) had earlier warned users that the attacks posed “an immediate risk”.

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email,” the organisation wrote.

Werner Koch of GNUPrivacyGuard (GnuPG), an open source PGP privacy suite, said the EFF’s warning was “overblown” and said he hadn’t been contacted. He recommended switching off HTML emails or using authenticated encryption.

Other methods of sending encrypted messages, such as Signal, Apple’s iMessage and Threema have recently become more widely used, creating alternatives to PGP for those in need of secure communications.

Do you know all about security? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago