E-mail Encryption Vulnerability Exposes Private E-mail Contents

A number of security flaws within encryption mechanisms utilized for keeping sensitive e-mails safe and secure now threaten to leak out office communications and e-mails of end-users in danger such as whistleblowers, media correspondents and political dissidents who work inside hostile environments.

A researchers' team from Europe recently released a study thoroughly explaining the way for extracting the message body from electronic mails kept secure using S/MIME else PGP encryption, according to which, it's possible to sometimes crack the encryption followed with exposing the so-called private e-mails' contents.

Such a vulnerability has been named "EFail" as the researchers state it impacts more than twelve e-mail clients, importantly Thunderbird, Microsoft's Outlook and Apple Mail that enable an active plugin tool alternatively employ some traditional or localized encryption standard. Pcmag.com posted this, May 14, 2018.

One technique of assault is known as "Direct Exfiltration" which exploits flaws within Mozilla Thunderbird, iOS Mail, and Apple Mail. For that the attacker crafts an e-mail based on HTML and having 3 sections: a request tag for an image at its start, the filched cipher text duly encrypted, and another request tag for an image at its end. Such a revised e-mail by the attacker is then sent into the victim's inbox.

Thereafter, victim's e-mail client at the foremost decrypts the 2nd section followed with making a combination of all the 3 to create a single e-mail. Subsequently, it changes the entire thing into one URL having the hacker's e-mail id so a request is dispatched to that web address for recovering the image that actually doesn't exist. The attacker gets the whole decrypted e-mail in the graphical request.

Evidently, whistleblowers, political activists and journalists are at the greatest danger of the vulnerability. Down many years, sensitive e-mails have been secured with the go-to tool PGP for end-to-end encryption, while the alternative has been S/MIME. Contrarily, popular e-mail clients just treat and save recipient's e-mails utilizing plain text.

EFail impacts e-mail clients which utilize any graphical interface for the end-user such as Outlook utilizes Gpg4win, Apple Mail utilizes GPGTools and Thunderbird utilizes Enigmail, state the researchers.

» SPAMfighter News - 5/23/2018