‘Efail’ exploit can expose old email content that was previously encrypted

Some experts recommend you should remove S/MIME and PGP private keys from your email client in the meantime.

Lingering software flaws that have existed in popular email clients can be exploited under certain conditions to access email content even when they’re protected by PGP or S/MIME standards, according to new research.

The research, dubbed “efail,” explains how it’s possible to exploit buggy email platforms, particularly in the way PGP is integrated into the platform. It does not show how to “break” the actual encryption protocol supporting PGP, short for “pretty good privacy.”

Sebastian Schnitzel, who co-authored the research, urged people to disable PGP or S/MIME in their email client until a fix can be issued.


The research is focused on how popular HTML-based email platforms — like Mozilla’s Thunderbird, Apple’s Mail, and Microsoft Outlook — continue to mishandle specific, internal configurations within email. In practice, an attacker could leverage these issues to redirect components of an encrypted message decrypted by the email client towards their own server, revealing the actual plaintext behind the targeted e-mail. 

Researchers were careful to state Monday that an attacker has to already have access to a person’s email account in order for the exploit to work.

On a website dedicated to the flaw, researchers laid out how attacks would be carried out inside email clients through various code loopholes.

In the short term, researchers call for users to disable HTML rendering and avoid decrypting emails in an email client. However, they also call for an updated to OpenPGP and S/MIME standards, so the vulnerabilities can be closed.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts