Researchers Discover Vulnerabilities in PGP/GPG Email Encryption Plugins, Users Advised to Avoid for Now

A warning has been issued by European security researchers about critical vulnerabilities discovered in PGP/GPG and S/MIME email encryption software that could reveal the plaintext of encrypted emails, including encrypted messages sent in the past.

GPGMail pane
The alert was put out late on Sunday night by professor of computer security Sebastian Schinzel. A joint research paper, due to be published tomorrow at 07:00 a.m. UTC (3:00 a.m. Eastern Time, 12:00 am Pacific) promises to offer a thorough explanation of the vulnerabilities, for which there are currently no reliable fixes.


Details remain vague about the so-called "Efail" exploit, but it appears to involve an attack vector on the encryption implementation in the client software as it processes HTML, rather than a vulnerability in the encryption method itself. A blog post published late Sunday night by the Electronic Frontier Foundation said:

"EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages."

In the meantime, users of PGP/GPG and S/MIME are being advised to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email, and seek alternative end-to-end encrypted channels such as Signal to send and receive sensitive content.

Update: The GPGTools/GPGMail team has posted a temporary workaround against the vulnerability, while MacRumors has compiled a separate guide to removing the popular open source plugin for Apple Mail until a fix for the vulnerability is released. Other popular affected clients include Mozilla Thunderbird with Enigmail and Microsoft Outlook with GPG4win. Click the links for EFF's uninstall steps.

Top Rated Comments

flyinmac Avatar
48 months ago
Hmm.... security protocol creates a vulnerability. To protect yourself, stop encrypting your emails???

Interesting.
Score: 12 Votes (Like | Disagree)
arekm Avatar
48 months ago
This looks like another clickbait by (almost pseudo) research teams. The problem is within mail software and not PGP encryption standard or tools.

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
Score: 7 Votes (Like | Disagree)
rodpascoe Avatar
48 months ago
Oh the irony.
Score: 6 Votes (Like | Disagree)
flyinmac Avatar
48 months ago
Hope the alert was not sent by email LOL
Going back to using birds to deliver my messages. Considered pigeons... but I want a bird that can shred anyone who tries to intercept my message. Decided on Hawks.
Score: 4 Votes (Like | Disagree)
Detektiv-Pinky Avatar
48 months ago

<snip>
From what I've read, it's a bug in PGP, not mail
I heard differently. It is supposedly a bug affecting any kind of Email encryption using MIME and automatically loading remote content. Also the in-build S/MIME encryption is at risk.
Score: 3 Votes (Like | Disagree)
belvdr Avatar
48 months ago
From what I've read, it's a bug in PGP, not mail
It's a problem in the mail user agent (MUA), not PGP/GPG. From the mailing list:

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html


The topic of that paper is that HTML is used as a back channel to create an oracle for modified encrypted mails. It is long known that HTML mails and in particular external links like <img href="tla.org/TAG"/> are evil if the MUA actually honors them (which many meanwhile seem to do again; see all these newsletters). Due to broken MIME parsers a bunch of MUAs seem to concatenate decrypted HTML mime parts which makes it easy to plant such HTML snippets.

There are two ways to mitigate this attack

- Don't use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.

- Use authenticated encryption.
It also appears that some versions of OpenPGP already use authenticated encryption. From what I'm reading, this is a really old bug that many wanted to get fixed, but the MUAs fail to fix it.
Score: 3 Votes (Like | Disagree)

Popular Stories

AirPods Pro Gen 3 Mock Feature Red

AirPods Pro 2 Could Start a New Accessory Ecosystem

Friday January 14, 2022 2:34 am PST by
Apple's second-generation AirPods Pro could arrive alongside a new series of accessories, recent leaked images suggest. Alleged leaked photos of the next-generation AirPods Pro obtained by MacRumors showed a charging case with a metal loop on the side for attaching a strap. Apple has not used this design for any of its other AirPod models and it is unclear why it would be added in this...
netflix2

Netflix Again Raises Prices for All Plans, 4K Streaming Now $20 Per Month

Friday January 14, 2022 12:46 pm PST by
Netflix today updated the prices for its streaming plans, and all of its offerings are now more expensive. The Basic plan is now priced at $9.99 per month, the Standard plan is priced at $15.49 per month, and the Premium plan is priced at $19.99 per month. The Basic plan is $1 more expensive, up from $8.99 per month. This plan allows users to watch on just one screen at a time, and it limits ...
iPhone 14 Mock pill and hole 16x9 120hz

Analyst: All iPhone 14 Models to Feature 120Hz Displays, 6GB of RAM, and More

Friday January 14, 2022 7:02 am PST by
Apple is rumored to announce four new iPhone 14 models in September, and ahead of time, analyst Jeff Pu has outlined his expectations for the devices. In a research note with Haitong International Securities, obtained by MacRumors, Pu claimed that all iPhone 14 models will feature ProMotion displays, compared to only Pro models currently. ProMotion enables a variable refresh rate up to 120Hz ...
ios 15

Apple Releases Minor iOS 15.2.1 and iPadOS 15.2.1 Updates

Wednesday January 12, 2022 10:05 am PST by
Apple today released minor 15.2.1 updates for iPhone and iPad users, and the software comes one month after Apple launched iOS 15.2 and iPadOS 15.2 with a slew of improvements. The iOS 15.2.1 and iPadOS 15.2.1 update can be downloaded for free and the software is available on all eligible devices over-the-air in the Settings app. To access the new software, go to Settings > General >...
maxresdefault

Hands-On With LG's 32-Inch UltraFine OLED Pro Display

Wednesday January 12, 2022 1:12 pm PST by
LG in December announced the launch of its new 2022 32-inch UltraFine OLED Pro display, and in our latest YouTube video, we went hands-on with it to see how it compares to Apple's Pro Display XDR and whether it might be worth picking up depending on the price point. Subscribe to the MacRumors YouTube channel for more videos. Officially named the "32BP95E," the display features a resolution of ...
iPad Pro Big Ol Logo Orange

Next iPad Pro Might Feature Large Glass Apple Logo to Allow Wireless Charging

Friday January 14, 2022 10:44 am PST by
Bloomberg's Mark Gurman and Debby Wu last year reported that Apple had tested a new iPad Pro with a glass back for wireless charging capabilities. In a recent edition of his newsletter, Gurman said he expects the new iPad Pro to be released in 2022. While the new iPad Pro is still on track to feature wireless charging, 9to5Mac's Filipe Espósito today reported that Apple may have ultimately...
iPhone 14 Mock pill and hole

iPhone 14 Pro Now Rumored to Feature Both Pill-Shaped and Circular Cutouts

Wednesday January 12, 2022 9:26 am PST by
Apple is widely expected to remove the notch on iPhone 14 Pro models, but there have been conflicting rumors about the new design. Early rumors suggested that Apple would adopt a hole-punch design with Face ID somehow moved completely under the display, and later it was rumored that there would be a pill-shaped cutout instead. Now, display industry consultant Ross Young has claimed that...
fortnite apple logo geforce feature

Fortnite Coming Back to iOS Soon Thanks to Nvidia's GeForce NOW Service

Thursday January 13, 2022 11:19 am PST by
With the Apple vs. Epic Games lawsuit continuing on, there are no signs that Apple has any intention of allowing popular battle royale game Fortnite to return to the App Store on iPhone and iPad. Epic Games has found a workaround though, by partnering up with Nvidia. GeForce NOW, Nvidia's streaming gaming service, will soon add Fortnite support, allowing Fortnite to be played through a...
iMac 27 inch 2020 sale

Deals: Apple's 21.5-Inch iMac Hits Record Low Price of $599.99 ($499 Off) [Update: Out of Stock]

Thursday January 13, 2022 4:05 am PST by
Amazon today has a great deal on the 2017 Intel 21.5-inch iMac (2.3GHz, 8GB RAM, 256GB SSD), priced at $599.99, down from $1,099.00. This is the best price we've ever tracked on this model, and it's only available at Amazon. The sale price will be reflected after an automatic coupon is applied at checkout. Note: MacRumors is an affiliate partner with some of these vendors. When you click a...