Security flaw could expose your encrypted emails, researchers warn

Edward Snowden

Uninstall PGP: EFF warns of exploit that may reveal plaintext of encrypted emails

Apple Mail, iOS Mail and Mozilla Thunderbird are all vulnerable to direct exfiltration, they said.

In an era when email hacks are a very real and common personal security threat, encryption is a way to ensure prying eyes don't spy on your digital correspondence.

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. While encrypted email keeps your messages secret, email clients see HTML content - for example, images or hyperlinks - and translate them in plain-text, even if there is encrypted content in them.

Sebastian Schnitzel, who co-authored the research, urged people to disable PGP or S/MIME in their email client until a fix can be issued.

Home sweet home: SC softball to host NCAA regional
Despite ending the season after several week at #1, the Bruins get the overall #3 seed behind #1 OR (47-7) and #2 Florida (50-8). After losing the opening game on Wednesday, the Lady Panthers began moving through the loser's bracket to championship glory.

If you use a plugin with PGP or S/MIME encryption, the EFF suggests you remove them from your email app, and that you use a different service that offers better encryption and security if you want to send highly sensitive information over the internet.

Attackers who exploit the vulnerability are able to change an encrypted email in a certain way and send then send the altered encrypted email to the victim.

While the requirement that attackers have access to previously sent e-mails is a an extremely high bar, the entire goal of both PGP and S/MIME is to protect users against this possibility. This is then encrypted with the sender's private "key" and decrypted by the receiver using a separate public key.

"It's a lot of steps for sure, and one that honestly is more hypothetical than is it is risky", Dave Kennedy, the chief executive at security company TrustedSec, said. In this case, the attacker locates the first block of encrypted plaintext in the stolen email and adds a fake block filled with zeroes. The problem resides in how email clients use these plug-ins to decrypt HTML-based emails.

Walmart may come up with IPO for Flipkart in 4 years
Walmart said it may, in future, appoint a sixth board member with the approval of the majority of the Flipkart directors. Furthermore, Walmart has shed some light on its plans to come out with an initial public offering (IPO) for Flipkart.

In the USA, the Electronic Frontier Foundation, which has relied on PGP extensively to secure its own email communications, recommended that users uninstall or disable their PGP email plug-in, citing the severity of the vulnerabilities. They've disclosed the vulnerability to the companies providing email programs, so watch out for software patches.

The second component, referred to as CBC/CFB gadget attack, potentially allows an attacker to send malformed data blocks that, when read by the target, would fool the email client into sending to the attacker's server the unencrypted contents of the message.

In line with all expert cryptographic advice to date, recommends the use of PGP in a number of our core articles.

Schinzel also urged users via Twitter to visit the blog posts by the EFF, which includes detailed step-by-step guides on how to disable PGP in Outlook, Apple Mail, and Thunderbird.

Starbucks bathrooms now open to everyone, not just customers
They were arrested minutes later by police, an incident captured by people using cellphones that went viral and lead to protests. The incident embarrassed Starbucks , and it quickly took the blame for the actions made during the Philadelphia incident.

Latest News