A team of nine academics is warning the world about a critical vulnerability in the OpenPGP and S/MIME email encryption tools.

The flaw, codenamed EFAIL, if exploited, allow an attacker to extract the plaintext content from sent or received messages, according to the researcher team.

"They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past," researchers said. "There are currently no reliable fixes for the vulnerability."

Researchers promised to publish more details tomorrow, Tuesday, May 15. In the meantime, they are recommending that users stop using OpenPGP and S/MIME for now.

The Electronic Frontier Foundation —which researchers contacted to help them broadcast their message to a broader audience— has published tutorials on how to disable email encryption plugins, the ones which appear to be affected by the vulnerability.

Thunderbird with Enigmail
Apple Mail with GPGTools
Outlook with Gpg4win

Users are advised to disable email encryption plugins to avoid any attackers from recovering past encrypted emails after the paper's publication.

"These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community," the EFF said.

Users in dire need of using encryption to protect their communications channels were advised to use an instant messaging client that supports end-to-end encryption, the EFF recommended.

UPDATE 1: Shortly after this article's publication, some details about the potential issue appear to have leaked.

UPDATE 2: Because some researchers started disclosing details about the vulnerability ahead of schedule, the website is now live, along with the research paper, both containing more info on the EFAIL vulnerability. The EFAIL vulnerability was confirmed to affect email plugins for supporting encryption operations. More details explaining the flaw are available in tweets from security researchers below.

Related Articles:

Cloud Product Accidentally Exposes Users' TLS Certificate Private Keys

U.S. Gov Agencies Fail to Fully Embrace DMARC Email Security Policy

Facebook States 30 Million People Affected by Last Month's "View As" Bug

Facebook Vulnerability Affecting 50 Million Users Allowed Account Takeover

WhatsApp Fixes Vulnerability That’s Triggered by Answering a Call.