Discover 2 new vulnerabilities on 2 popular email protocols
This vulnerability affects two of the very popular email protocols, PGP and S / MIME, although the degree of impact depends on the use of the client software's protocol. Quite a lot of email client software is affected, including Apple Mail, Mail application on iOS and Thunderbird.
European security researchers have discovered a remarkable new vulnerability in the popular email encryption protocol. Through it, an attacker can inject malicious code into email even though the protocol is designed to prevent this behavior. If done correctly, malicious code can be used to steal the contents of the victim's inbox.
This vulnerability affects two of the very popular email protocols, PGP and S / MIME, although the degree of impact depends on the use of the client software's protocol. Quite a lot of email client software is affected, including Apple Mail, Mail application on iOS , Thunderbird and even Outlook. It is worth noting that many current message authentication systems can block this type of attack.
Basically the attack type can be divided into two categories: Direct Exfiltration affects macOS and iOS Mail of Apple and Thunderbird of Mozilla. If the encrypted email using these client software is tampered with, the attacker could exploit the vulnerability to edit the email, adding the malicious HTML code before sending it back to the victim. When the victim opens a new message, the malicious code will send back the plaintext email.
The second form is CBC / CFB Gadget Attack which affects more email client software, including Microsoft Outlook but the level depends. With PGP, every 1 attack will be 1 time but with S / MIME an email can break up to 500 messages.
Many enterprise servers still use S / MIME encryption, so the flaw could cause major concerns.
S / MIME seems to have a lot of trouble and is vulnerable to attack
Open source software GNU Privacy Guard has written 'there are two ways to reduce this attack: don't use HTML email . use authenticated encryption'.
Sebastian Schinzel, professor of computer security at the University of Applied Sciences Münster warns on Twitter that 'there is currently no way to fix vulnerabilities'. He encourages people to disable the above encryption protocols in their email software. The Electronic Frontier Foundation calls these 'temporary' measures before the error is fixed.
See more:
- Outlook may not encrypt your email if you use S / MIME encryption
- 8 best secure email services ensure your privacy
- Microsoft will encrypt email, preventing mail forwarding in Outlook
You should read it
- How to add and delete Email accounts on Mac, iPhone and iPad
- 6 best email apps for Mac
- What is email encryption? Why does it play an important role in email security?
- How to encrypt email
- Launch Email editor quickly from web browser
- 7 most popular email security protocols today
- How to handle when email automatically sends bulk spam
- Send Email using PHP
- Differentiate POP and IMAP
- How to set up the default email client on Windows 10
- Beware of the 7 most common types of spam
- The only secure email is the text-only email