The flaw, codenamed EFAIL, if exploited, allow an attacker to extract the plaintext content from sent or received messages, according to the researcher team.
"They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past," researchers said. "There are currently no reliable fixes for the vulnerability."
Researchers promised to publish more details tomorrow, Tuesday, May 15. In the meantime, they are recommending that users stop using OpenPGP and S/MIME for now.
There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: https://t.co/zJh2YHhE5q #efail 2/4— Sebastian Schinzel (@seecurity) May 14, 2018
The Electronic Frontier Foundation —which researchers contacted to help them broadcast their message to a broader audience— has published tutorials on how to disable email encryption plugins, the ones which appear to be affected by the vulnerability.
Users are advised to disable email encryption plugins to avoid any attackers from recovering past encrypted emails after the paper's publication.
"These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community," the EFF said.
Users in dire need of using encryption to protect their communications channels were advised to use an instant messaging client that supports end-to-end encryption, the EFF recommended.
This looks... bad. Serious vulnerabilities found in PGP and S/MIME, likely in the protocols themselves rather than in an implementation. Users advised to disable PGP clients. https://t.co/XCpwg414fP— Martijn Grooten (@martijn_grooten) May 14, 2018
UPDATE 1: Shortly after this article's publication, some details about the potential issue appear to have leaked.
I have. In fact, I just read this: https://t.co/LttsDC9BjY— Martijn Grooten (@martijn_grooten) May 14, 2018
which pretty much spells out what the issue is.
UPDATE 2: Because some researchers started disclosing details about the vulnerability ahead of schedule, the efail.de website is now live, along with the research paper, both containing more info on the EFAIL vulnerability. The EFAIL vulnerability was confirmed to affect email plugins for supporting encryption operations. More details explaining the flaw are available in tweets from security researchers below.
S/MIME vulnerability is due to how it's implemented by mail clients, and facilitated by HTML. Do: (1) disable affected mail extensions (2) send text mails [not HTML], (3) use OpenPGP. Don't: (1) Use vulnerable clients (2) panic. https://t.co/X4uJqboh4j pic.twitter.com/ZI7gp2nDgF— Lukasz Olejnik (@lukOlejnik) May 14, 2018
In a nutshell, if I intercept an encrypted email sent to you, I can modify that email into a new encrypted email that contains custom HTML. In many GUI email clients, this HTML can exfiltrate the plaintext to a remote server. Ouch. 2/— Matthew Green (@matthew_d_green) May 14, 2018
The real news here is probably about S/MIME, which is actually used in corporate e-mail settings. Attacking and modifying encrypted email stored on servers could actually happen, so this is a big deal. 4/— Matthew Green (@matthew_d_green) May 14, 2018
But of course the attack also implicated the garbage-fire that is the PGP ecosystem so of course that’s what everyone is talking about. Over on HN the “its not PGP it’s mail clients” dance has begun so I guess we have to talk about that. 6/— Matthew Green (@matthew_d_green) May 14, 2018
So let me just cut through some of that. If you were using GnuPG on the command line and checking your error results, it’s absolutely true that you’re fine. If you’ve been using (one of several) GUI clients with PGP encryption, you were anything but fine. 7/— Matthew Green (@matthew_d_green) May 14, 2018