Friday, 18 January 2019
Latest news
Main » Users Reveal Bugs That Can Read Plaintext of Encrypted Personal Emails

Users Reveal Bugs That Can Read Plaintext of Encrypted Personal Emails

15 May 2018

Security researchers said Monday they have discovered a critical flaw in the way certain email programs handle a popular encryption technology that safeguards emails from prying eyes.

The attacker needs to first access encrypted emails, which could have been collected years ago. Then the email client's HTML parser immediately sends or "exfiltrates" the decrypted message to a server that the attacker controls. This attack relies on a three-part message being sent.

Researchers at FH Munster University of Applied Sciences have released details of a vulnerability with no known patch which could allow hackers to turn a ciphered message into plain text and read it.

In the meantime, digital privacy rights group Electronic Frontier Foundation, which has reviewed the researchers' findings, confirmed that the bugs pose a risk to anyone using PGP and S/MIME and as a "temporary, conservative stopgap" recommends disabling any email plug-ins that automatically decrypt such messages.

Professor Schinzel is a member of a research team consisting of a long list of respected security researchers, and which has been responsible for uncovering a number of cryptographic vulnerabilities.

PGP and S/MIME have flaws that could be exploited to decrypt any incoming or outgoing communication.

'The House That Jack Built' Trailer Shows Off Brutality
The House That Jack Built premieres at Cannes today ( May 14 ), so we'll likely hear how the film is sooner rather than later. The film is a full-blown slasher and boasts a cast that includes Matt Dillon , Uma Thurman , Bruno Ganz , and Riley Keough .

The research is focused on how popular HTML-based email platforms - like Mozilla's Thunderbird, Apple's Mail, and Microsoft Outlook - continue to mishandle specific, internal configurations within email.

Asking his online community if any of the members use PGP, responses ranged from "LOL, no" to "Most don't even know what that is" to a member saying he set up PGP, but no client has ever wanted to use the encryption option. Because the HTML rendering engine is enabled, this prompts the mail client to treat the message body as a URL, which it encodes and queries the malicious actor's server, thereby leaking the message.

The vulnerability comes in two parts: an HTML exfiltration attack in which a snoop sends the target an email with specially crafted web mark-up language. That the vulnerability also affects S/MIME, however, may be more significant because S/MIME is much more widely deployed by businesses to secure their email communications. It's important to note that this exploit is only useful if an unscrupulous individual already has access to the encrypted S/MIME or PGP emails.

Werner Koch, principle author at Gnu Privacy Guard, which is a free implementation of the OpenPGP standard, opened a discussion on the issue in which he said that the attack should not work if authenticated encryption (GnuPG's is called modification detection code, or MDC) is in use, which is the preferred configuration.

Short Term: Disable decryption of S/Mime or PGP emails in the email client.

EFF said in a blog post that users should uninstall PGP until the flaw is patched.

Users Reveal Bugs That Can Read Plaintext of Encrypted Personal Emails