Everyone uses Email; business and society can not seemingly function without it.  Like most other communications technology, Email can be sent unsecured or encrypted.  As is no secret, people use encrypted email to send information to others that needs to be kept private; away from the prying eyes of the government, public, or anyone else.  Unfortunately, security researchers discovered critical vulnerabilities within email that defeats the encryption and allows the email to be read in plaintext. 

Email is typically encrypted using either PGP or S/MIME encryption protocols.  However, this encryption can be exploited by an attacker altering the way the message processes HTML portions of the email – such as photos, videos, or other multimedia styling.   When they are able to inject such a malicious element, the altered email is encrypted and sent.  When the recipient opens the email and the email software decrypts it, the malicious element loads and opens a channel that allows the attacker to also view the plaintext of a message. 

So this is bad.  Obviously, encryption is meant to keep a message from prying eyes and only for the sender and intended recipients.  In fact the Electronic Frontier Foundation (EFF), a non-profit security group focused on privacy rights and anonymity, recommended that people stop sending encrypted email altogether.

For some that may make sense, particularly if you are of high likelihood of being targeted by hackers.  But for most such an action is extreme and unnecessary.   In order for this exploit to work the hacker already needs to have access to your emails, which means they probably have high-access to your whole system anyway.  So most of the general public and even most businesses probably are at low risk.  The effort for the hacker is such that they really need to be targeting you specifically and believe the info you are encrypting is highly valuable.

Examples of those who are at most risk are companies or organizations that work in national security (for any country, not just the United States), advanced technology and innovation, and financial institutions.  Additionally, dissidents and activists that may be targeted by governments are at high risk. These are again, just examples, but the point is that for most of us, the risk is minimal. 

In the event one views the risk and vulnerability as too great, the EFF recommended that “users should arrange for the use of alternative end-to-end secure channels, such as Signal.” At the very least, all users and organizations should patch their email clients when those patches are developed and released. Users should also consider sending text-only emails where possible.  Input as little HTML as possible – despite the fact that most email clients still input some that are outside of the users control.  The idea is to decrease the likelihood of an attacker using this exploit against you.

Sources:

EFAIL

Wired.com

EFF

Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search