A group of researchers has exposed a vulnerability in PGP, a popular email encryption standard used by Outlook, Apple Mail, and Thunderbird. Known as EFAIL, the attacks can reveal encrypted emails in plaintext, and also affect the S/MIME standard. In total, over 20 email clients are affected and there's no reliable fix. The exploits use the victim's own client to decrypt previous messages and return them to the attacker. The proof-of-concept is relatively straightforward and severe, stripping away the protection many rely on. It exploits externally loaded images or styles in HTML emails to steal plaintext via requested URLs. For now, the Electronic Frontier Foundation is advising users to stop using PGP entirely. Instead, it recommends other secure methods of communication. “At EFF, we have relied on PGP extensively both internally and to secure much of our external-facing email communications. Because of the severity of the vulnerabilities disclosed today, we are temporarily dialing down our use of PGP for both internal and external email,” said the non-profit.
Fatal ‘EFAIL’ Vulnerabilities May Expose Encrypted Outlook Emails
The EFAIL vulnerabilities exploit externally loaded images or styles in HTML emails to deliver plaintext versions of emails to attackers. Organizations are advising users to stop using PGP until the issue is resolved.