Encrypted Emails At Risk From Two New Attacks

Encrypted Emails At Risk From Two New Attacks

German researchers have found a major vulnerability in PGP (Pretty Good Privacy), a popular email encryption program, which could reveal past and present encrypted emails.

Sebastian Schinzel, lead of the IT security lab at the Münster University of Applied Sciences, said the paper would be published ahead of a scheduled date later this week after the embargo was broken.

EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email", EFF said.

More details are to be published by the researchers on May 15 who recommend not using the two encryption tools until they are fixed. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers.

More news: Over 40 killed in storms across India

In a tweet, the Foundation especially warned users not to decrypt PGP-encrypted messages in mail clients.

Germany's Federal Office for Information Security (BSI) admitted that the findings constituted "a serious security breach".

It added, however, that it considered the encryption standards themselves to be safe if correctly implemented and configured. Specifically, if they handle MDC (modification detection code) errors correctly, Koch's colleague Robert J. Hansen said, and the above-named clients appear to be some of those that are vulnerable.

The researchers note that S/MIME uses Cipher Block Chaining, while OpenPGP uses Cipher Feedback, both of which are exploitable in similar ways. Then the emails are changed in a particular way and sent to a victim. However, the researchers have confirmed the exploitable vulnerabilities only exist for email users. In addition the mails would need to be in HTML format and have active links to external content to be vulnerable, the BSI said.