Most of us may choose to send emails in an unencrypted way, as after all we don’t contain much valuable information in emails. But when dealing with sensitive data, some will encrypt the email before sending it to the receivers through email clients.
Sebastian Schinzel, the lead of the IT security lab at the Münster University of Applied Sciences, posted a paper on this Monday explaining critical vulnerabilities in PGP/GPG and S/MIME email encryption. In his findings, HTML rendering flaws discovered in Apple Mail for iOS and macOS allow attackers to reveal the plaintext of someone’s encrypted emails without needing the sender’s private encryption keys.
According to the paper, EFAIL describes “vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails”. It abuses active content of HTML emails to exfiltrate plaintext through requested URLs.
Apple Mail, iOS Mail and Mozilla Thunderbird users can be victims to the direct exfiltration EFAIL attacks if they are using the PGP/GPG and S/MIME email encryption software that makes messages unreadable without an encryption key. For the attack to work, the attacker must have access to your encrypted S/MIME or PGP emails, for example, by compromising email accounts or email servers. And Sebastian points out that these vulnerabilities can be fixed in the respective email clients.
Before Apple pushes out a fix for this issue in its Mail client on both iOS and macOS, what can you do to protect yourself from being attacked? Sebastian Schinzel proposes two suggestions for personal precautions. The best way to prevent EFAIL attacks is to “only decrypt S/MIME or PGP emails in a separate application outside of your email client”, and that means you will need to disable or uninstall tools that automatically decrypt PGP-encrypted email. Meanwhile, you can also choose to disable the presentation of incoming HTML emails in your email client, as the EFAIL attacks abuse active content most in the form of HTML images, styles, etc.
To be specific, Mac users can head to Preferences pane in Mail app, click the Viewing tab, and then disable the Load Remote Content in Messages option. After that, quit Mail, and delete the GPGMail.mailbundle file in (~)/Library/Mail/Bundles folder.
While on your iOS devices, you will need to tap the Settings app, then select Mail from the list, and toggle the Load Remote Image option under Message to Off.