‘Efail’ exploit can expose old email content that was previously encrypted

Lingering software flaws that have existed in popular email clients can be exploited under certain conditions to access email content even when they’re protected by PGP or S/MIME standards, according to new research.

The research, dubbed “efail,” explains how it’s possible to exploit buggy email platforms, particularly in the way PGP is integrated into the platform. It does not show how to “break” the actual encryption protocol supporting PGP, short for “pretty good privacy.”

Sebastian Schnitzel, who co-authored the research, urged people to disable PGP or S/MIME in their email client until a fix can be issued.

The research is focused on how popular HTML-based email platforms — like Mozilla’s Thunderbird, Apple’s Mail, and Microsoft Outlook — continue to mishandle specific, internal configurations within email. In practice, an attacker could leverage these issues to redirect components of an encrypted message decrypted by the email client towards their own server, revealing the actual plaintext behind the targeted e-mail. 

Researchers were careful to state Monday that an attacker has to already have access to a person’s email account in order for the exploit to work.

On a website dedicated to the flaw, researchers laid out how attacks would be carried out inside email clients through various code loopholes.

In the short term, researchers call for users to disable HTML rendering and avoid decrypting emails in an email client. However, they also call for an updated to OpenPGP and S/MIME standards, so the vulnerabilities can be closed.