OpenPGP and S/MIME are two of the most common forms of email encryption and a newly-published paper coming out of a partnership between researchers from the Münster University of Applied Sciences, Ruhr University Bochum and KU Leuven has found a vulnerability.
The attack, as explained by The Verge, allows “bad actors inject malicious code into intercepted emails, despite encryption protocols designed to protect against code injection.”
In this scenario, the researchers wrote that the attacker already had gained access to end-to-end encrypted emails. From there, the actor manipulates the ciphertext of the email. This changed email is then sent back to the original receiver or the original sender who, unfortunately, opens the attack mail — because it doesn’t look threatening — and the changed ciphertext is now decrypted and sent back to the attacker who has access to the information in the email.
There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read efail 2/4
— Sebastian Schinzel (@seecurity) May 14, 2018
Professor of computer security at Münster, Sebastian Schinzel, wrote on Twitter that “there are currently no reliable fixes for the vulnerability.” The researchers as a whole advise “to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.”
