EFAIL is the name of a new set of vulnerabilities that allow attackers to exploit issues in OpenPGP and S/Mime to gain access to encrypted messages.
OpenPGP is an encryption standard that Internet users may use to protect sensitive data such as emails by using encryption. S/Mime is another standard that is widely used in corporate environments.
EFAIL requires that the attacker managed to gain access to encrypted emails and that the target runs client software that is vulnerable to one of the two available attack types.
An attacker could gain access to encrypted emails by monitoring network traffic, compromising email servers or the computers of users, or gaining access to backup servers.
The attack works in the following way:
The attacker may use two different types of attacks. The first is called direct exfiltration by the developers. It works in clients such as Mozilla Thunderbird, Postbox, MailMate, iOS Mail or Apple Mail and enables the attacker to exfiltrate the plaintext message of the encrypted email directly.
This attack works in the following way:
The second attack type works against a larger number of email clients. In fact, the only clients protected against S/Mime attacks are Claws Mail and Mutt whereas more clients are protected against PGP-targeting attacks.
The researchers suggest the following mitigation strategies:
While not explicitly mentioned, you may also disable the loading of remote content in the email client to prevent successful exploits.
Thunderbird users may want to check out our guide Switch Between HTML And Plain Text Emails In Thunderbird to enable plaintext email messages in the client. It is furthermore advised to disable the loading of any remote content by disabling "allow remote content in messages" under Tools > Options > Privacy.
Additional information about the vulnerability is available on the website the researchers created.
Now You: Do you use OpenPGP or S/Mime?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.