Security researchers have discovered critical vulnerabilities in PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions), two of the most popular security tools used to exchange encrypted emails containing sensitive data. The critical flaws can be exploited to leak the contents of the emails exchanged between users who are signed up with the PGP or S/MIME service.
Sebastian Schinzel, a professor of Computer Security at the Münster University of Applied Sciences, tweeted about the vulnerabilities and mentioned that they may be leveraged by hackers to leak the ‘plaintext of encrypted emails’, and even the emails that have been sent in the past.
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
— Sebastian Schinzel (@seecurity) May 14, 2018
“There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now”, Schinzel said in another tweet. San Francisco-based international digital rights group, Electronic Frontier Foundation (EFF), is in contact with the cybersecurity experts who discovered the vulnerabilities and has advised those who use any of the two services to disable the plug-ins or remove them from their email client as soon as possible.
“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email”, EFF wrote in an official blog post. EFF will provide details about the PGP and S/MIME vulnerabilities in a paper that will be published tomorrow, but until then, the non-profit organization has advised users to ‘stop sending and especially reading PGP-encrypted email’, and use other email encryption tools.
According to EFF, the two vulnerabilities pose an immediate threat to users who use PGP and S/MIME to exchange email, as they risk the leakage of data being exchanged in real-time and that which has been shared in the past. If you utilize PGP and are concerned about the new security threat, you can read EFF’s how-to article to learn how to disable PGP in Outlook.