'Efail' vulnerability lies in apps, not PGP and GnuPG

A security scare said to affect the popular Pretty Good Privacy (PGP) and Gnu Privacy Guard (GnuPG) protocols used to encrypt email messages is in fact caused by bugs in older mail apps.

Source: Efail researchers.

The issue arose after researchers from three German universities claimed to have devised an  attack the called Efail, which they said would allow the decryption of current and past emails scrambled with PGP or GnuPG and exfiltration of the decoded content.

But maintainers of the open source GnuPG set of encryption tools quickly issued a statement on Efail, pointing out that the issue affects older email applications and not the protocol itself.

The GPG maintainers said that Efail was about email programs not handling error messages from the Modification Detection Code feature properly.

MDC detects if attackers have modified the message code, and has been part of PGP and GnuPG since the middle of 2000.

Of Efail, the maintainers said that users "might be vulnerable if you're running an ancient version of GnuPG (the 1.0 series; the current is 2.2), or if your email plugin doesn't handle GnuPG's warning correctly.

"You might also have had some exposure in the past if back then you used a pre-2000 version of GnuPG, and/or an email plugin which didn't handle the warning correctly," the GPG team wrote.

Furthermore, in order to exploit the Efail vulnerability, attackers would need to capture emails and send them to the original recipient for decryption, the researchers said.

Attackers need to send emails as specially crafted HTML messages that contain the code required to exfiltrate decoded text from vulnerable programs.

GnuPG suggested users check if their email programs are vulnerable against the list compiled by the researchers, but warned that it might not be accurate.

While the GnuPG maintainers expressed gratitude towards the researchers for compiling the list of buggy email programs, they wished that "this thing had been handled with a little less hype".

Elements of the research leaked out overnight, forcing the researchers to lift an embargo.

"A whole lot of people got scared, and over very little," the GnuPG team said.

Fears were fuelled by early tweets from the likes of F-Secure founder and IT security luminary Mikko Hyppönen:

This vulnerability might be used to decrypt the contents of encrypted emails sent in the past. Having used PGP since 1993, this sounds baaad. #efail

— Mikko Hypponen (@mikko) May 14, 2018

Digital rights lobby group the Electronic Frontier Foundation also went as far as recommending that users disable PGP integration in their email clients because of Efail.

Security industry veteran Graham Cluley suggested that this was not a good idea.

"You’re probably putting yourself at greater risk if you have something sensitive to communicate by reverting to unencrypted email," Cluley wrote.

Avoid HTML in emails, and S/MIME can't be fixed

The researchers suggest to disable HTML for email, and security experts agree that this is good practice, as connecting to remote servers and downloading unknown code from them poses a significant risk.

This advice is especially important when Secure Multipurpose Internet Mail Extensions (S/MIME) is used, as that protocol contains a weakness that can be exploited via malformed HTML tags.