www.belgium.be Logo of the federal government

Critical flaw in clients using PGP or S/Mime email encryption

Advisory #2018-14
Affected software: 
Mail clients using PGP or S/MIME encryption
Abuse of HTML content to exfiltrate plain text through requested URL’s






PGP encryption and S/Mime are vulnerable to hacks that might reveal the plain text of the encrypted message, including emails sent in the past.

At this moment, no patch has been released.



A group of academics has found critical flaws in PGP and S/Mime encryption tools like Thunderbird, Outlook and Mac Mail App . The flaws, if exploited, would allow an attacker to decrypt, sent or received messages, even including emails from the past.

If an attacker has access to an encrypted email, he could use it to craft a malicious copy of the encrypted email and send it to either the original sender or one of the original receivers. Opening this email in a vulnerable client would allow the decryption of the email and the exfiltration of the decrypted data through an HTML hyperlink using the private key of the target.

A second vulnerability called “Malleability gadget exfiltration channel” is based on CFB/CBC malleability of plain text. This property allows an attacker to reorder, remove or insert cyphertext blocks, or to perform meaningful plain text modifications without the encryption key, leading to the injection of malicious snippets within the plaintext.

Both procedures are described in detail on https://efail.de.

Recommended Actions

CERT.be recommends that users disable HTML rendering and remote content in email clients. This will close a part of the backchannels exfiltration.

Further protection is possible by disabling and uninstalling encryption plugins into mail clients and using a separate application to decrypt the cyphertext such as Kleopatra.

CERT.be expects more info to be published in the coming days.