Multiple vulnerabilities have been discovered in PGP, and S/MIME that could allow a hacker to read emails encrypted using the standards, with one attack potentially allowing for a message to be decrypted by abusing a flaw in the way Mail for iOS and macOS renders HTML-based messages.
European cybersecurity researchers have published a warning about the new “Efail” cyber attacks. Responsible for this flaw are two varieties that cause an issue for those using PGP and S/MIME plug-ins to secure their communications in email clients. Vulnerabilities in the OpenPGP and S/MIME standards enable the attacks to occur, which is said to affect emails sent to the victim, including those received months or years ago.
The attacks work by abusing how an email client renders HTML content included in a message, such as by loading externally-hosted images, in an email account the hacker is either capable of accessing or can eavesdrop.
Anything can be hacked, and almost every app has flaws. Remember that it is essential for every user and company to add extra measures of cybersecurity. Every user must use only the best cybersecurity solution like an antivirus for Windows or antivirus for Mac depending on which OS their device is running. Also, every company must go an extra step to obtain the best cybersecurity measure; this can be done by hiring a cybersecurity firm that will attack purpose the company’s network of revealing its most destructive and dangerous flaws.
This kind of deliberate attacks is done through specialized cybersecurity tests like penetration test and ethical hacking tests.
The attacker effectively alters one of the acquired encrypted emails and sends it to the victim’s account.
When opened and decrypted, the email client accesses the external content, which at the same time send the plaintext sections of the email to the attacker.
The researchers say that this cyber attack can affect Apple Mail, iOS Mail, and Mozilla Thunderbird,
For now, It is unclear if Apple has supplied patches to fix the vulnerability, but it is likely a solution is on the way if it has not yet been deployed.
A second method, named CBC/CFB Gadget Attack, affects any standards-confirming email client.
This method is more involved, requiring the precise modification of plaintext blocks if the attacker knows elements of the message. By changing specific blocks to inject an image tag into the encrypted section, the plaintext message can then get sent to the attacker once the victim opens the malformed encrypted message.
The researchers plan to release full details of the vulnerabilities and the attacks in a paper this week. Until full a disclosure is made and patches are released, we warn all users to disable encryption plugins in their clients, including GPGTools for Apple Mail and Enigmail for Thunderbird.
Because we want you to stay safe and secured in front of all vulnerabilities like this one, we recommend implementing a robust cybersecurity solution into your devices like an antivirus for Windows or antivirus for Mac depending of which OS are your machines running. We also suggested that every company must hire a specialized cybersecurity firm that will perform various tests like a penetration test and various ethical hacking tests on company’s network to reveal if any network flaws are present.
For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.