Published: Tue, May 15, 2018
IT&Software | By Alfonso Woods

Critical Flaw Found in PGP and S/MIME Email Clients Like Apple Mail

Critical Flaw Found in PGP and S/MIME Email Clients Like Apple Mail

Some people are saying this is an overreaction, but if you would like to be certain, the EFF has released guides on how to disable PGP encryption in Apple Mail, Outlook, and Thunderbird. Secure messaging services such as Signal are not impacted, according to the Electronic Frontier Foundation, which worked with the research team to publicize the problem. "In many GUI email clients, this HTML can exfiltrate the plaintext to a remote server".

"The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker", the researchers wrote in a paper that dubs the exploits "Efail attacks". He later created OpenPGP, an open source approach that is based on PGP and available via free software such as GPG, short for GNU Privacy Guard. If it's not, GnuPG returns an alert.

The encrypted email is modified and send to the target.

Another way would be to use authenticated encryption via tools such as OpenPGP, he argued.

His colleague Robert Hansen said on Twitter that the issue had been known about for some time. In fact, the only clients protected against S/Mime attacks are Claws Mail and Mutt whereas more clients are protected against PGP-targeting attacks.

A professor of computer science has warned users of Pretty Good Privacy (PGP) that the encryption program has vulnerabilities and should be immediately disabled. "It seems to not be easily reproducible in all cases".

Until more details are made public, it's hard to know just how serious the security issue really is.

They continue that in their model, the attacker is able to collect end-to-end encrypted emails, either through a man-in-the-middle attack on the network, by accessing a SMTP server, by accessing the IMAP account on the server, or by some other means. "Given the current state of our research, the CFB gadget attack against PGP only has a success rate of approximately one in three attempts". Some have criticized the researchers for teasing the vulnerability before publishing their full paper on it, while others have jumped straight to disabling PGP in their email clients.

"If you use PG or S/MIME for sensitive information then this is a big deal", Matt Green, a professor specializing in encryption at Johns Hopkins University, told Ars on Monday. The HTML code would then trick the victim's email client into fetching a URL with the unencrypted message contained in plain text in the request.

Apple Mail, iOS Mail and Mozilla Thunderbird are all vulnerable to direct exfiltration, they said.

The vulnerabilities in PGP and S/MIME standards pose an "immediate risk" to email communication including the potential exposure of the contents of past messages, said the Electronic Frontier Foundation, a USA digital rights group.

Like this: