In normal usage In addition, e-mails are usually sent unencrypted. To protect secrets, businesses and security-minded people rely on encrypted communication with S / MIME and PGP. However, security seems to be questionable when certain e-mail programs are used. This found out efail.de now in a comprehensive report. Affected are Apple’s mail app for iOS and macOS and Mozilla Thunderbird. With these programs, it should be possible to exploit the HTML representation in order to display the e-mail content in plain text.
The functionality is extremely simple. If an attacker gains possession of an encrypted email from another user, the attacker can simply send the encrypted email back to the original sender and gain access to the content of the email without having access to the email the sender’s private encryption key.
The shipping consists of several parts: an HTML image tag, the encrypted text and the end of the HTML image tag. After the original text has been wrapped in the HTML tag, the attacker sends the email to the actual sender. There, the mail client now decrypts the second part – the encrypted text – and encodes all non-printable characters. Then the image is queried via the stored URL. The link now contains the content of the encrypted message in plain text and sends it back to the attacker when queried.
According to EFAIL, the problem should get under control quickly and could be fixed with a simple update. After the announcement, Apple should probably work at full speed on a solution and make it available soon.