In Apple Mail, There's No Protecting PGP-Encrypted Messages

It has been nearly two weeks since researchers unveiled "EFAIL," a set of critical software vulnerabilities that allow encrypted email messages to be stolen from within the inbox. The Intercept reports that developers of email clients and encryption plugins are still scrambling to come up with a permanent fix. From the report: Apple Mail is the email client that comes free with every Mac computer, and an open source project called GPGTools allows Apple Mail to smoothly encrypt and decrypt messages using the 23-year-old PGP standard. The day the EFAIL paper was published, GPGTools instructed users to workaround EFAIL by changing a setting in Apple Mail to disable loading remote content. Similarly, the creator of PGP, Phil Zimmermann, co-signed a blog post Thursday stating that EFAIL was "easy to mitigate" by disabling the loading of remote content in GPGTools. But even if you follow this advice and disable remote content, Apple Mail and GPGTools are still vulnerable to EFAIL.

I developed a proof-of-concept exploit that works against Apple Mail and GPGTools even when remote content loading is disabled (German security researcher Hanno Bock also deserves much of the credit for this exploit, more on that below). I have reported the vulnerability to the GPGTools developers, and they are actively working on an update that they plan on releasing soon.

Re: Good

[Anonymous Coward]

Uhh PGP has not been broken.
This has to do with after decryption.
The utility is fine, remote content in e-mail is broken.

Re:

[Anonymous Coward]

Drop Apple(tm) Mail and be safe. PGP gives an error that the mail client ignores!

Re:

[v1]

I don't see why anyone USES pgp on a mac. Just go get a free certificate from any of several sources, (free for personal use) and import it and DONE. all 100% integrated and supported in apple mail. has had this built-in for YEARS. Buying PGP is like buying another headlight for your car... your car already has two and they work MUCH better than any aftermarket you might be looking at.

Encrypted text preamble to protect the content

[IMarvinTPA]

> '> ">
Would > '> "> at the start of any encrypted message prevent the issue from sending the real content from going anywhere?

Thanks,
IMarv

Re:

[olsmeister]

My solution is to put this at the end of every e-mail I send. It's worked great so far.

This message is for the named recipient(s) only. It may contain confidential, proprietary or legally privileged material not waived or lost by any mistransmission. Any interception, disclosure or use of this communication by other persons is unlawful. You must not, directly or indirectly, use disclose, distribute, print or copy any part of this message if you are not the intended recipient. If you believe you have received this communication by mistake, please delete it and all copies from your system, destroy any hard copies and notify the sender.

Sensationalist bullshit

[Anonymous Coward]

Puts Apple in the headline, even though Apple has nothing to do with this -- the vulnerability is strictly within the open source plugin that people use with Apple Mail.

Additionally he trumpets that it works against systems with "load remote content" turned off... and then buries *way* down his page that his exploit requires that the user clicks a link.

WTF? Clicking links in email has *NEVER* been safe.

Your super amazing "exploit" is that you can con the user into clicking a malicious link and use an already existing vulnerability on that basis? Wow. Welcome to super genius mode, dude.

Re:

[Blasphemy]

Agreed, this story is bullshit. The problem is not with Apple Mail, but with GPG Tools. Disable or remove GPT Tools and you are good to go.

Re:

[Anonymous Coward]

Am I missing something?

Wouldn't removing GPG Tools simply revert the mail to regular email, that is, the kind that is easily MITMable right now?

At least GPG Tools puts the email in an envelope, even if it can be opened and read en-route by someone intent on doing so.

Re:

[MatthiasF]

If you watch the video and take the demonstration as genuine, clicking the link somehow shares the content of a different email message.

That's kind of a leap for even a plugin vulnerability with the remote execution turned off.

Mind you, this could all be bull. He could have staged it by hiding the pass phrase sentence mentioned in a hash in the link from the second email.

We won't know until someone confirms.

Always mention Apple for the most Clicks...

[TheFakeTimCook]

According to TFS, Apple Mail is not the ONLY Mail Client/Plugin that is affected:

"The Intercept reports that developers of email clients and encryption plugins are still scrambling to come up with a permanent fix. "

That sentence tells me it is more than Apple Mail that is affected; yet the Title makes it sound that way.

Why?

Oh, right: Clickbait.

Solution:

[Heebie]

Easy solution: Don't set up encryption in your e-mail products, but instead, (en|de)crypt all messages outside of the e-mailer, using copy/paste to get the messages into or out of your e-mail client, or even by using attachments and .ASC files etc.. If you have a clue, getting around that flaw is child's play.