Researchers have discovered bugs in Apple Mail’s HTML rendering on Mac as well as iOS in addition to Mozilla Thunderbird. These flaws make it possible for attackers to mine plain text from mail messages that were originally sent as encrypted text.
Many businesses rely on PGP and S/MIME encrypted email to keep communications confidential.
The main issue that affects Apple Mail, Mozilla Thunderbird’s client and iOS Mail is a system that utilises multipart responses to take advantage of issues with HTML rendering.
To put it differently: if a hacker gets hold of someone’s encrypted email, they can send that encrypted text back to the user and thereby disclose the unencrypted plain text format without ever requiring the sender’s confidential encryption keys.
Basically, the hacker would have to send three parts: an encrypted text string, an incomplete HTML tag declaration, and the final HTML to close the image tag.
What happens next is that the Mail client decrypts the cypher text, and then renders is as the bogus picture’s source URL.
When the recipient opens the email using their own email client, it will then try to load the URL to open the image. The hacker’s server logs this request, and it then has its own copy of the now unencrypted content. Naturally, the domain forming part of the URL has to be controlled by the hacker to do this, for instance, efail.de.
The only permanent way to resolve this is via a software update, which is undoubtedly in the pipeline. Until then, users can respond by disabling ‘Load remote content in messages’ under Mail Preferences for Mac or Apple Mail. On iOS, this is under ‘iOS Settings and called ‘Load Remote Images’.
You could also completely try removing the PGP keys from the email client, so the app cannot decrypt encoded strings at all.
Before you go
After spending over 20 years working with Macs, both old and new, theres a tool I think would be useful to every Mac owner who is experiencing performance issues.
CleanMyMac is highest rated all-round cleaning app for the Mac, it can quickly diagnose and solve a whole plethora of common (but sometimes tedious to fix) issues at the click of a button. It also just happens to resolve many of the issues covered in the speed up section of this site, so Download CleanMyMac to get your Mac back up to speed today.