Discover 2 new vulnerabilities on 2 popular email protocols

This vulnerability affects two of the very popular email protocols, PGP and S / MIME, although the degree of impact depends on the use of the client software's protocol. Quite a lot of email client software is affected, including Apple Mail, Mail application on iOS and Thunderbird.

European security researchers have discovered a remarkable new vulnerability in the popular email encryption protocol. Through it, an attacker can inject malicious code into email even though the protocol is designed to prevent this behavior. If done correctly, malicious code can be used to steal the contents of the victim's inbox.

This vulnerability affects two of the very popular email protocols, PGP and S / MIME, although the degree of impact depends on the use of the client software's protocol. Quite a lot of email client software is affected, including Apple Mail, Mail application on iOS , Thunderbird and even Outlook. It is worth noting that many current message authentication systems can block this type of attack.

Basically the attack type can be divided into two categories: Direct Exfiltration affects macOS and iOS Mail of Apple and Thunderbird of Mozilla. If the encrypted email using these client software is tampered with, the attacker could exploit the vulnerability to edit the email, adding the malicious HTML code before sending it back to the victim. When the victim opens a new message, the malicious code will send back the plaintext email.

The second form is CBC / CFB Gadget Attack which affects more email client software, including Microsoft Outlook but the level depends. With PGP, every 1 attack will be 1 time but with S / MIME an email can break up to 500 messages.

Many enterprise servers still use S / MIME encryption, so the flaw could cause major concerns.

Discover 2 new vulnerabilities on 2 popular email protocols Picture 1 Discover 2 new vulnerabilities on 2 popular email protocols Picture 1
S / MIME seems to have a lot of trouble and is vulnerable to attack

Open source software GNU Privacy Guard has written 'there are two ways to reduce this attack: don't use HTML email . use authenticated encryption'.

Sebastian Schinzel, professor of computer security at the University of Applied Sciences Münster warns on Twitter that 'there is currently no way to fix vulnerabilities'. He encourages people to disable the above encryption protocols in their email software. The Electronic Frontier Foundation calls these 'temporary' measures before the error is fixed.

See more: