Efail Email Encryption Vulnerabilities Expose OpenPGP Users to Risk

Security researchers detail a series of flaws in the widely deployed OpenPGP and S/MIME standards that could potentially enable an attacker to decrypt emails.


Security researchers on May 14 announced a new set of vulnerabilities—dubbed Efail—in the widely deployed S/MIME and OpenPGP email encryption technologies.

In a 21-page academic paper, the researchers from Munster University, Ruhr University Bochum and KU Leuven detail Efail, which could potentially enable an attacker to read emails that have been encrypted with the OpenPGP and S/MIME standards.

"We describe novel attacks built upon a technique we call malleability gadgets to reveal the plaintext of encrypted emails," the researchers wrote. "We devise working attacks for both OpenPGP and S/MIME encryption, and show that exfiltration channels exist for 23 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients."

There are two different vulnerabilities detailed in the Efail paper: CVE-2017-17688 for the OpenPGP attacks and CVE-2017-17689 for S/MIME. Among the popular email clients the researchers found to be at risk are Apple Mail, iOS Mail and Mozilla Thunderbird. The Efail attacks do not provide attackers with a method to access a victim's email account, but rather are all about the encryption layer.

"The Efail attacks require the attacker to have access to your S/MIME or PGP encrypted emails," the Efail website FAQ states. "You are thus only affected if an attacker already has access to your emails. However, the very goal of PGP or S/MIME encryption is the protection against this kind of attacker."

Technical Details

The research paper details multiple approaches for using the vulnerabilities to decrypt S/MIME and OpenPGP encrypted emails. In one attack method, the researchers take advantage of Cipher Feedback Mode (CFB) in OpenPGP and Cipher Block Chaining (CBC) in S/MIME. According to the researchers, both CFB and CBC enable an attacker to reorder, remove or insert ciphertext blocks, or to perform meaningful plaintext modifications without the encryption key. 

"Malleability of these two encryption modes is well-known and has been exploited in many attacks on network protocols like TLS, IPsec, or SSH, but it has not been exploited in plaintext-recovery attacks on email standards," the researchers wrote.

Another attack method that the researchers detailed is a relatively simple approach that exploits the interaction of HTML with S/MIME and OpenPGP.

"In the most straightforward example of our attacks, the adversary prepares a plaintext email structure that contains an <img> element, whose URL is not closed with quotes," the researchers wrote.

The research paper details a method whereby the simple omission of not closing the URL with quotes can enable an attacker to get access to the decrypted email contents.

"It is astonishing that these vulnerabilities are still present in current versions of Thunderbird or Apple Mail," the researchers wrote.


Patching efforts from multiple vendors are underway, but in the near term, the researchers suggest mitigation steps to minimize the risk of exploitation via the Efail attack methods.

For the HTML risk, the researchers advise that OpenPGP and S/MIME users simply disable HTML rendering.

"The Efail attacks abuse active content, mostly in the form of HTML images, styles, etc.," the Efail site states. "Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking Efail."

Another short-term fix suggested by security researchers is that OpenPGP and S/MIME users decrypt emails outside of their primary email client. The Efail attacks rely on external communication, and if a user is decrypting emails in a stand-alone application, the risks are somewhat muted.

Beyond short-term mitigations, there are longer-term efforts needed to fully secure S/MIME and OpenPGP based email encryption as well.

"The Efail attacks exploit flaws and undefined behavior in the MIME, S/MIME, and OpenPGP standards," the researchers wrote. "Therefore, the standards need to be updated, which will take some time."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.