OpenPGP and S/Mime vulnerability EFAIL discovered

Martin Brinkmann
May 14, 2018
Updated • May 14, 2018

EFAIL is the name of a new set of vulnerabilities that allow attackers to exploit issues in OpenPGP and S/Mime to gain access to encrypted messages.

OpenPGP is an encryption standard that Internet users may use to protect sensitive data such as emails by using encryption. S/Mime is another standard that is widely used in corporate environments.

EFAIL requires that the attacker managed to gain access to encrypted emails and that the target runs client software that is vulnerable to one of the two available attack types.

An attacker could gain access to encrypted emails by monitoring network traffic, compromising email servers or the computers of users, or gaining access to backup servers.

The attack works in the following way:

  • The attacker manages to get hold of an encrypted email.
  • The encrypted email is modified and send to the target.
  • The client used by the target decrypts the email and loads external content that transmits the plaintext message to the attacker.

The attacker may use two different types of attacks. The first is called direct exfiltration by the developers. It works in clients such as Mozilla Thunderbird, Postbox, MailMate, iOS Mail or Apple Mail and enables the attacker to exfiltrate the plaintext message of the encrypted email directly.

This attack works in the following way:

  1. The attacker creates a new multipart email message and prepares it in a special way. It consists of three parts:
    1. An HTML image tag that uses a src attribute that is opened with quotes but not closed.
    2. The actual encrypted message using PGP or S/Mime.
    3. The third part closes the open HTML tag of the first part.
  2. The message is send to the target.
  3. The target's email client processes the email. It loads the referenced image and attaches the plaintext message that it decrypted to the image URL.
  4. The attacker monitors hits to the server and gets hold of the secret message tis way.

The second attack type works against a larger number of email clients. In fact, the only clients protected against S/Mime attacks are Claws Mail and Mutt whereas more clients are protected against PGP-targeting attacks.

What can you do to protect yourself?

The researchers suggest the following mitigation strategies:

  • Short Term: Disable decryption of S/Mime or PGP emails in the email client. Copy and paste the encrypted text into separate programs to decrypt the text.
  • Short Term: Disable HTML rendering in the email client for all email messages.
  • Medium Term: Software companies need to patch the issues in their client applications.
  • Long Term: OpenPGP and S/Mime standards need to be updated.

While not explicitly mentioned, you may also disable the loading of remote content in the email client to prevent successful exploits.

Thunderbird users may want to check out our guide Switch Between HTML And Plain Text Emails In Thunderbird to enable plaintext email messages in the client. It is furthermore advised to disable the loading of any remote content by disabling "allow remote content in messages" under Tools > Options > Privacy.

Additional information about the vulnerability is available on the website the researchers created.

Now You: Do you use OpenPGP or S/Mime?

Related articles

OpenPGP and S/Mime vulnerability EFAIL discovered
Article Name
OpenPGP and S/Mime vulnerability EFAIL discovered
EFAIL is the name of a new set of vulnerabilities that allow attackers to exploit issues in OpenPGP and S/Mime to gain plaintext access to encrypted messages.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. thebrowser said on May 16, 2018 at 2:15 pm

    >>Long Term: OpenPGP and S/Mime standards need to be updated.

    Email vulnerabilities due to HTML have been known for quite a while, this is another example that is targeted at encrypted emails but it certainly does not mean there’s a vulnerability in PGP. The problem is within the software client which should be updated/patched to address this issue, and use another form of encryption until it’s fixed.

    1. John Fenderson said on May 16, 2018 at 7:27 pm


      I’m actually amazed that people are thinking this is a problem with PGP. It’s not. It’s a problem with HTML in email, and it’s not the only (or most severe) such problem. If you’re worried about security, you should not be allowing your email client to be interpreting HTML in emails, whether you use PGP or not.

      It’s a very serious threat vector.

  2. ****** said on May 15, 2018 at 10:17 pm

    No, PGP is not broken, not even with the Efail vulnerabilities

    1. Anonee said on May 16, 2018 at 8:44 am

      EFF, a nonbiased, 3rd party, nonprofit organization with a rich background in all things privacy and security related: “EFF’s current recommendation is to disable PGP integration in email clients”

      ProtonMail, a for-profit corporation that uses PGP in their email $ervice: “PGP is fine guys… trust us! So go ahead and keep those unsecure PGP plugins enabled…”

      I know who I’ll trust! ;)

      1. thebrowser said on May 17, 2018 at 12:39 am

        The perfect target of a vulnerability such as this one is pretty clear: businesses. What do business most commonly use for internal communication now a days? Email. Email clients to be more specific. Therefore, and assuming a vast majority of business email users (or most of internet users for that matter) are NOT computer literates, it is a very good advise to cease the use of potentially vulnerable email clients in order to preserve security and privacy. Much like when there’s a fire in the 20th floor, but you would evacuate the entire building anyway for safety.

        According to the EFF: “Because WE ARE AWAITING the response from the security community of the flaws highlighted in the paper, we recommend that for now you uninstall or disable your PGP email plug-in.”

        Which means, they literally have no idea whether this is real or not. Neither do I to be honest. But unlike you, me and the EFF, ProtonMail did work on the PGP standard that they implemented within their own tool. Which is open-source so feel free to go ahead and have a look if you will. Not that any of it really matters since nobody has really confirmed if this is true, which EFF’s statement stands true only because of good practice safety measures.

        >> I know who I’ll trust! ;)

        This kind of comment? Yeah, makes you sound clever and cool and stuff. No useful at all, though. Please inform yourself before attempting to send any kind of message to the public and spread unnecessary panic and/or misinformation. Especially regarding security. I sure know who I wouldn’t trust in this case ;)

  3. ilev said on May 15, 2018 at 5:46 am
    1. John Fenderson said on May 16, 2018 at 7:25 pm

      It’s not PGP that should be disabled, it’s HTML interpretation.

  4. flash said on May 15, 2018 at 1:39 am

    So I read the content on the efail website and further details in the technical paper … and I’m more than a little bit staggered that a vulnerability like this wasn’t found earlier. Or if it was found, then much care must have been taken to avoid making it public.

    This is really tricky, because from the way I understand it, you can send someone a HTML mail and hide multiple PGP encrypted code blocks in the HTML code, none of which will be visible to the reader. Because of this, you can use a lot of subterfuge too, like disguising the E-Mail either as spam or by imitating a real service you use.

    I think you can add one more item to the list of potential protection methods and that is to use a different E-Mail client. Take The Bat! for example, it comes with its own HTML viewer that already blocks scripts, but for this problem the much more useful feature is that by default it does not load ANY third-party content unless you specifically allow it from either a sender or based on the hostname of the external content (here’s a screenshot of this ).

    While this makes many HTML mails less “nice”, it also stops tracking pixels cold and increases your privacy. Whenever I need to view a more complex HTML mail properly, which doesn’t happen all that often, I double-click on the Message.html “attachment” and open it directly in my browser.

    The Bat! also allows the user to disable the reading confirmation replies (the E1 vulnerability in the technical paper), though I don’t think that’s on by default.

  5. Bobby Phoenix said on May 14, 2018 at 8:13 pm

    This would is messed up beyond repair in my view. Just because you can do something doesn’t mean you should. Every single day there’s a new vulnerability, and/or a hack/breach happened. You can also go knockout that 90 year old grandma, and take her purse, but we don’t (well most of us). This world should be a safe free world. No locks, no worries about security, no wondering what bad thing is around the corner. I’m done with it all. Good bye.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.