A weakness in PGP and S/MIME email encryption standards could let hackers expose messages and trigger cybersecurity and privacy issues. That’s according to German and Belgian researchers who say the vulnerability kicks in when cybercriminals intercept encrypted emails and compromise how HTML elements like images and multimedia styling are processed.
“When the recipient gets the altered message and their email client—like Outlook or Apple Mail—decrypts it, the email program will also load the external multimedia components through the maliciously altered channel, allowing the attacker to grab the plaintext of the message,” explains Lily Hay Newman from Wired.
Known as ‘eFail,’ the issue is not so easy for a cyberattacker to pull off without already having easy access. Nevertheless, it has served as a long-standing backup protection–kind of like The Club, an anti-theft steering-wheel lock people would use in case their cars were broken into, to prevent car theft.
Wired reports that Sebastian Schinzel, one of the researchers on the project, says there are no real fixes for the vulnerability and suggests disabling PGP/GPG or S/MIME for sensitive communication. The Electronic Frontier Foundation (EFF) appears to agree.
However, some cryptographers believe that even though the architecture of PGP encryption is dated and flawed, encrypted email is still better than nothing.
Quoting a cryptographer at Johns Hopkins University, Hay Newman writes, “It should be patchable.” But, he adds, “People don’t pay attention unless there’s an attack.”
Get the full story at Wired.