HomeWinBuzzer NewsFatal 'EFAIL' Vulnerabilities May Expose Encrypted Outlook Emails

Fatal ‘EFAIL’ Vulnerabilities May Expose Encrypted Outlook Emails

The EFAIL vulnerabilities exploit externally loaded images or styles in HTML emails to deliver plaintext versions of emails to attackers. Organizations are advising users to stop using PGP until the issue is resolved.


A group of researchers has exposed a vulnerability in PGP, a popular email encryption standard used by Outlook, Mail, and Thunderbird. Known as EFAIL, the attacks can reveal encrypted emails in plaintext, and also affect the S/MIME standard.

In total, over 20 email clients are affected and there's no reliable fix. The use the victim's own client to decrypt previous messages and return them to the attacker. The proof-of-concept is relatively straightforward and severe, stripping away the protection many rely on. It exploits externally loaded images or styles in HTML emails to steal plaintext via requested URLs.

For now, the Electronic Frontier Foundation is advising users to stop using PGP entirely. Instead, it recommends other secure methods of communication.

“At EFF, we have relied on PGP extensively both internally and to secure much of our external-facing email communications. Because of the severity of the vulnerabilities disclosed today, we are temporarily dialing down our use of PGP for both internal and external email,” said the non-profit.

A Fix Will Take Time

Though clients are rolling out software patches already, a full fix is going to take time. It's possible to fix the exploits that let messages to exfiltrated, updates take time. Both the sender and all the receivers must be up to date to protect the email chain and it's likely this won't be the case for some time.

The scope of the threat is also unclear. It's likely more exploits will be discovered in the coming weeks, and that protections won't fully mitigate the issue. However, other security experts are taking a less panicked approach.

To exploit EFAIL, the attacker needs access to encrypted emails, either by spying on network traffic or hacking accounts, servers, or backup systems.

“If a malicious hacker already has access to your email servers, networks, and such like, there's probably all manner of worse and less convoluted things they could be doing to make your life a misery, steal secrets, and destroy your privacy,” says security advisor Graham Cluley.

He suggests that disabling PGP may put users at greater risk if they don't use a different method of encryption. Whatever the case, the flaw will be a wakeup call too many, and a push towards encrypted messaging services like Signal.

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News