Emails are an integral part of our daily lives, be it professional or personal. This week researchers have highlighted a few issues with the back-end of emails which reveal all the content you have ever sent.
It doesn’t even matter if they are encrypted, all details, information of the sender or any confidential information can be accessed by the hacker. What’s brought about this huge flaw, why hasn’t this been acknowledged earlier?
According to a detailed post called EFail by security researchers in Germany, a serious vulnerability affecting PGP (a widely used method of encrypting emails ) has been discovered.
This flaw is capable of revealing the plaintext of encrypted emails, including encrypted emails sent in the past. Emails are generally secure in nature but the PGP issue could put anybody’s digital existence in jeopardy.
What is the Flaw?
According to the revelations made, the EFail attacks can be used to break the PGP (pretty good privacy) which is the additional encryption layer.
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication used to increase security of emails. It was developed in 1991.
Researchers have admitted there wasn’t any flaw in the OpenPGP system but the problem was with the clients who failed to check for decryption errors properly.
The EFail hack is set into motion by inserting manipulated text into an email that has been intercepted by hackers. This email is sent to recipients who open them and click on the link without knowing about its threat.
Once the mail has been opened, the malicious code inside the text, tricks the program into sending a plain-text version back to the hacker.
Who’s Affected?
The researchers believe that the flaw will mostly hit journalists, political activists or whistleblowers who use an additional encryption layer, often PGP.
The EFail attacks can be used to break this additional encryption layer. If the hacker gets access to your email content, s/he can read the plain-text version of it.
According to the post, most emailing clients like Gmail, Apple Mail and Mozilla's Thunderbird among others are likely to have been affected by the attack.
What Can I Do?
The observation comes with a word of caution and intimation. The EFail attack requires the attacker to have access to your S/MIME or PGP encrypted emails. Only then can the attack affect you.
To exploit the vulnerability, the attackers have to change an encrypted email in a specific way and send it to the victim.
Experts in the domain have confirmed there is no fix for the flaw. Users are advised to disable all email tools that automatically decrypt PGP until a patch is released by email client providers, who have been informed about the vulnerability reported.
It’s hard to live without an email account these days. Most of your apps, even your smartphone operates with access to your email ID. In such scenario, it is better to follow the advice handed out by the researchers.
It’ll be worth looking at the response time of the email solution providers. Hopefully, the flaw will be fixed before something major happens.
(The Quint is now on WhatsApp. To receive handpicked stories on topics you care about, subscribe to our WhatsApp services. Just go to TheQuint.com/WhatsApp and hit Send.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)