If you have been encrypting your e-mails using Pretty Good Privacy (PGP) and S/MIME applications thinking that they are safe, think again. Professor Sebastian Schinzel from the German Munster University of Applied Science warns that the two popular e-mail encryption tools have a bug, called Efail, that could potentially allow encrypted e-mails read as plaintext. First, the direct attack which "abuses vulnerabilities in Apple Mail, iOS Mail and Mozilla Thunderbird to directly exfiltrate the plaintext of encrypted e-mails". The second is the "Cipher Block Chaining/Cipher Feedback gadget attacks" which abuse vulnerabilities in the specification of PGP and S/MIME to exfiltrate the plaintext. The research says that one good way to prevent Efail attacks is to only decrypt S/MIME or PGP e-mails in a separate application outside of the e-mail client.

Source: The Star May 14, 2018 11:15 UTC