Unfixed bugs in widely used e-mail programs make it possible for attackers to obtain the plaintext of messages that are encrypted using the PGP and S/MIME standards, researchers said early Monday morning. The attacks assume that an attacker has possession of the encrypted e-mails and can trick either the original sender or one of the recipients to open an invisible snippet of one of the intercepted messages in a new e-mail.
The flaws, some of which have existed for more than a decade, are part of a series of vulnerabilities dubbed Efail described by a team of European researchers. The vulnerabilities allow attackers to exfiltrate e-mail plaintexts by embedding the previously obtained cipher text into unviewable parts of an e-mail and combining it with HTML coding. Earlier on Monday, the researchers issued an advisory recommending PGP and S/MIME users disable the encryption in their e-mail clients but had planned to wait until Tuesday to provide technical details of the vulnerabilities. Within hours, the researchers published the paper, which is titled .
The most serious vulnerabilities have resided in Thunderbird, macOS Mail, and Outlook for more than 10 years and remain unfixed at the moment, the researchers said. Flaws in the way the programs handle e-mails with multiple body parts make it possible to embed invisible snippets of previously obtained encrypted text in new e-mails. By also including the Web address of an attacker-controlled server, the newly sent emails can cause the programs to send the corresponding plaintext to the server. The surreptitious exfiltration works against both the PGP and S/MIME standards.
“If you use PG or S/MIME for sensitive information then this is a big deal,” Matt Green, a professor specializing in encryption at Johns Hopkins University, told Ars on Monday. “It means that those e-mails are potentially not secure. There is a real attack that can be exploited by people that allows them to decrypt a lot of encrypted email.”
The requirement that an attacker already have possession of an encrypted message is an important consideration. It means that the attacker would first have to break into an e-mail server, take over an e-mail account, intercept traffic as it crossed the Internet, or have access to a hard drive storing a previously sent e-mail. The attacker would then have to get the sender or one of the receivers of the previously obtained message to open a new attacker-sent email. The new e-mail would embed portions of the cipertext in places that often aren’t displayed by Thunderbird, Mail, Outlook, and more than two-dozen other e-mail programs. When done properly, the attack causes the corresponding plaintext of those snippets to be displayed on an attacker-controlled server.
While the requirement that attackers have access to previously sent e-mails is a an extremely high bar, the entire purpose of both PGP and S/MIME is to protect users against this possibility. Ars will have much more coverage of the efail vulnerabilities, and the researchers have more information here.
More details to come.