Nobody wants snoops peeking at their emails. Unfortunately, the newly discovered “Efail” vulnerability could make that a possibility.

On May 14th, the Electronic Frontier Foundation (EFF) reported that Efail is able to expose HTML emails encrypted with PGP and S/MIME encryption programs — even those that were sent years ago. These tools are commonly employed by journalists, politicians, and other users who require secure communication.

“In a nutshell, Efail abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs,” the researchers write.

“The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.”

In other words, once hackers gain access to your emails, they can use the HTML tags in your emails to prompt mail clients to erroneously decrypt those emails in a way that hackers can access.

So, what should you do?

EFF’s recommendation: If you use PGP or S/MIME, disable them, and uninstall the tools that decrypt them.

The security community, however, has claimed these measures aren’t necessary.

ProtonMail, for example, claims that many data encryption and decryption services are already patched against Efail. ProtonMail itself has verified that it is not vulnerable to Efail.

Original Article: By Monica Chin of Mashable

Facebooktwittergoogle_plusredditpinterestlinkedinmail