EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails. (UPDATE – This attack targets buggy email clients.)
The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.
Susceptibility of OpenPGP, GnuPG, and Gpg4WinPG
Full technical paper
Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels [v0.9 Draft][PDF]
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon
Friedberger, Juraj Somorovsky, and Jörg Schwenk.
27th USENIX Security Symposium, Baltimore, August 2018.
The team can be contacted at firstname.lastname@example.org.
Electronic Frontier Foundation
MAY 13, 2018
Attention PGP Users: New Vulnerabilities Require You To Take Action Now
MAY 14, 2018
Critical PGP and S/MIME bugs can reveal encrypted e-mails. Uninstall now