Researchers Discover Vulnerabilities in PGP/GPG Email Encryption Plugins, Users Advised to Avoid for Now

by

A warning has been issued by European security researchers about critical vulnerabilities discovered in PGP/GPG and S/MIME email encryption software that could reveal the plaintext of encrypted emails, including encrypted messages sent in the past.

GPGMail pane
The alert was put out late on Sunday night by professor of computer security Sebastian Schinzel. A joint research paper, due to be published tomorrow at 07:00 a.m. UTC (3:00 a.m. Eastern Time, 12:00 am Pacific) promises to offer a thorough explanation of the vulnerabilities, for which there are currently no reliable fixes.


Details remain vague about the so-called "Efail" exploit, but it appears to involve an attack vector on the encryption implementation in the client software as it processes HTML, rather than a vulnerability in the encryption method itself. A blog post published late Sunday night by the Electronic Frontier Foundation said:

"EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages."

In the meantime, users of PGP/GPG and S/MIME are being advised to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email, and seek alternative end-to-end encrypted channels such as Signal to send and receive sensitive content.

Update: The GPGTools/GPGMail team has posted a temporary workaround against the vulnerability, while MacRumors has compiled a separate guide to removing the popular open source plugin for Apple Mail until a fix for the vulnerability is released. Other popular affected clients include Mozilla Thunderbird with Enigmail and Microsoft Outlook with GPG4win. Click the links for EFF's uninstall steps.

Tags: Encryption, Security

Popular Stories

Apple Announces Special Event in New York Feature

Apple Announces Special Event in New York, London, and Shanghai on March 4

Monday February 16, 2026 6:05 am PST by
Apple today announced a "special Apple Experience" in New York, London, and Shanghai, taking place on March 4, 2026 at 9:00am ET. Apple invited select members of the media to the event in three major cities around the world. It is simply described as a "special Apple Experience," and there is no further information about what it may entail. The invitation features a 3D Apple logo design...
Read Full Article165 comments
M3 iPad Air

Apple's Next Two Products Are Coming Soon

Thursday February 12, 2026 11:17 am PST by
Apple plans to release an iPhone 17e and an iPad Air with an M4 chip "in the coming weeks," according to the latest word from Bloomberg's Mark Gurman. "Apple retail employees say that inventory of the iPhone 16e has basically dried out and the iPad Air is seeing shortages as well," said Gurman. "I've been expecting new versions of both (iPhone 17e and M4 iPad Air) in the coming weeks."...
Read Full Article
Apple Sales Coach App

Apple Launching New 'Sales Coach' App

Friday February 13, 2026 2:01 pm PST by
Apple plans to launch a rebranded "Sales Coach" app on the iPhone and iPad later this month, according to a source familiar with the matter. "Sales Coach" will arrive as an update to Apple's existing "SEED" app, and it will continue to provide sales tips and training resources to Apple Store and Apple Authorized Reseller employees around the world. For example, there are articles and videos...
Read Full Article26 comments
Coffee Burgundy and Purple iPhone 18 Pro Mock

Five iPhone 18 Pro Features Revealed in New Report

Friday February 13, 2026 8:43 am PST by
While the iPhone 18 Pro and iPhone 18 Pro Max are still seven months away, an analyst has revealed five new features the devices will allegedly have. Rumored color options for the iPhone 18 Pro models In a research note with investment firm GF Securities on Thursday, analyst Jeff Pu outlined the following upgrades for the iPhone 18 Pro models: Smaller Dynamic Island: It has been rumored...
Read Full Article58 comments
iOS 26 Home Feature

Three New Apple Home Products Rumored for 2026

Friday February 13, 2026 4:18 pm PST by
Apple has a long list of new products rumored for 2026, including a series of home products that will see the company establishing more of a presence in the smart home space. Robots are on the horizon for 2027, but the 2026 releases will be a little tamer. HomePod mini We're expecting a new HomePod mini 2 to launch at any time. Apple isn't going to update the device's design, but we could...
Read Full Article65 comments

Top Rated Comments

flyinmac Avatar
flyinmac
101 months ago
Hmm.... security protocol creates a vulnerability. To protect yourself, stop encrypting your emails???

Interesting.
Score: 12 Votes (Like | Disagree)
A
arekm
101 months ago
This looks like another clickbait by (almost pseudo) research teams. The problem is within mail software and not PGP encryption standard or tools.

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
Score: 7 Votes (Like | Disagree)
rodpascoe Avatar
rodpascoe
101 months ago
Oh the irony.
Score: 6 Votes (Like | Disagree)
flyinmac Avatar
flyinmac
101 months ago
Hope the alert was not sent by email LOL
Going back to using birds to deliver my messages. Considered pigeons... but I want a bird that can shred anyone who tries to intercept my message. Decided on Hawks.
Score: 4 Votes (Like | Disagree)
Detektiv-Pinky Avatar
Detektiv-Pinky
101 months ago

<snip>
From what I've read, it's a bug in PGP, not mail
I heard differently. It is supposedly a bug affecting any kind of Email encryption using MIME and automatically loading remote content. Also the in-build S/MIME encryption is at risk.
Score: 3 Votes (Like | Disagree)
belvdr Avatar
belvdr
101 months ago
From what I've read, it's a bug in PGP, not mail
It's a problem in the mail user agent (MUA), not PGP/GPG. From the mailing list:

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html


The topic of that paper is that HTML is used as a back channel to create an oracle for modified encrypted mails. It is long known that HTML mails and in particular external links like <img href="tla.org/TAG"/> are evil if the MUA actually honors them (which many meanwhile seem to do again; see all these newsletters). Due to broken MIME parsers a bunch of MUAs seem to concatenate decrypted HTML mime parts which makes it easy to plant such HTML snippets.

There are two ways to mitigate this attack

- Don't use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.

- Use authenticated encryption.
It also appears that some versions of OpenPGP already use authenticated encryption. From what I'm reading, this is a really old bug that many wanted to get fixed, but the MUAs fail to fix it.
Score: 3 Votes (Like | Disagree)
Read All Comments