Published: Mon, May 14, 2018
IT | By Lester Massey

Email encryption flaws can expose Apple Mail, Outlook, and Thunderbird messages

Email encryption flaws can expose Apple Mail, Outlook, and Thunderbird messages

Professor Schinzel is a member of a research team consisting of a long list of respected security researchers, and which has been responsible for uncovering a number of cryptographic vulnerabilities.

European researchers have found that the popular PGP and S/MIME email encryption standards are vulnerable to being hacked, leading them to urge people to disable and uninstall them immediately.

It recommended that users switch for the time being to secure messaging app Signal for sensitive communications.

More particularly, the attacks use specially crafted HTML emails that exploit bugs in the way PGP is implemented in some email programs.

German researchers have warned those using a popular form of email encryption that serious flaws mean their messages could be decoded by attackers.

The PGP encryption is mostly used by political activists, journalists, and whistleblowers as an extra layer of encryption.


The vulnerabilities dubbed EFAIL are harmful as they can reveal the contents of messages in plain text, even for the messages from the past. The Electronic Frontier Foundation advises to immediately disable all email tools that automatically decrypt PGP.

In a 21-page academic paper, the researchers from Munster University, Ruhr University Bochum and KU Leuven, detail the Efail attack which could potentially enable an attacker to read encrypted emails that have been encrypted with the OpenPGP and S/MIME standards.

EFF's statement on the matter mirrored Schinzel's, and also includes instructions on how to disable PGP plug-ins in Thunderbird with Enigmail, Apple Mail with GPGTools and Outlook with Gpg4win.

The vulnerability requires several steps for an attacker to intercept encrypted emails, but reveals a crack in PGP's armor. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. This is then encrypted with the sender's private "key" and decrypted by the receiver using a separate public key. Previously encrypted emails may now become available for decryption without having the proper credentials to do so.

Security researchers, backed up the EFF, have issued a warning over PGP and S/MIME encryption. In addition the mails would need to be in HTML format and have active links to external content to be vulnerable, the BSI said.

Like this: