Security researchers said Monday they have discovered a critical flaw in the way certain email programs handle a popular encryption technology that safeguards emails from prying eyes.
The flaw, known as Efail, affects applications such as Mozilla Thunderbird, Apple Mail and some versions of Outlook, said the team of European researchers. Efail targets the encryption standard known as PGP, or Pretty Good Privacy, and S/MIME, a similar protocol commonly used by businesses and other enterprises. A full list of affected email programs is available from the researchers' report.
Whistleblowers, political activists and others who depend on encrypted email could all be compromised by the bug, the researchers said in a blog post. The Electronic Frontier Foundation, a separate technology advocacy group that previewed the researchers' findings on Sunday, said users of the affected email programs should disable any third-party software they have installed that allows the email apps to use PGP or S/MIME. (EFF has provided step-by-step instructions for each type of mail client.)
"Until the flaws described in the paper are more widely understood and fixed," EFF said, "users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email."
The flaw works when an attacker already has access to a victim's encrypted emails. The vulnerability allows hackers to read an encrypted email by making changes to its HTML, which essentially tricks the affected email applications into decrypting the rest of the message.
“The attacker can modify the encrypted email, and when the person for whom it’s intended opens it or previews it, the mail program will send the contents out to a remote server the attacker has set up,” said Matt Green, a cryptography expert and assistant professor at Johns Hopkins University. “All you have to do is look at it and it will decrypt itself and send it out to the attacker.”
Apple said Monday that it is aware of the issue and that updates to fully address it will soon be released. Microsoft did not immediately respond to a request for comment. Mozilla referred questions to the Thunderbird Council, the third-party open-source software group that maintains the Thunderbird email app. Ryan Sipes, a Thunderbird community manager, said in a statement that a patch is being developed and will be distributed as an update by the end of the week.
Some security experts said that because Efail seems to affect specific email applications, it is overkill to say that there is a flaw in the actual underlying encryption protocols.
Werner Koch, the principal author of the cryptographic software GNU Privacy Guard, called EFF’s warnings about the vulnerability “pretty overblown.” In a post Monday, he said that his team was not contacted about the flaw and that the attack could be mitigated by avoiding HTML emails or using authenticated encryption, which adds a layer of protection to confirm the message hasn’t been changed. Still, some developers of PGP software for email apps aren't taking any chances.
Andy Yen, chief executive of the encrypted email service ProtonMail, also criticized the way EFF and the researchers portrayed the issue, saying it was reckless to tell users to stop exchanging encrypted emails. The problem, he said, was not with PGP but with the way email clients have implemented it.
“It’s like any software -- if the vendors are actively patching and updating, it’s secure,” Yen said, adding that ProtonMail was unaffected by the flaw. “If you look at the top 10 clients out there, most have long since patched it. What the researchers have really done is catalogued clients that haven’t done this properly.”
Rather than deal with email encryption issues at all, others said, just switch to an encrypted messaging app that doesn't require any third-party plug-ins.
"This whole PGP infrastructure is kind of a mess and needs to be hardened up and fixed, or we need to start using something better,” Green, of Johns Hopkins, said. “Signal, Wire and other encrypted chat applications aren’t vulnerable the way PGP is. They’re not only more secure, they’re more widely used.”