Slashdot Mirror
In Apple Mail, There's No Protecting PGP-Encrypted Messages (theintercept.com)
It has been nearly two weeks since researchers unveiled "EFAIL," a set of critical software vulnerabilities that allow encrypted email messages to be stolen from within the inbox. The Intercept reports that developers of email clients and encryption plugins are still scrambling to come up with a permanent fix. From the report: Apple Mail is the email client that comes free with every Mac computer, and an open source project called GPGTools allows Apple Mail to smoothly encrypt and decrypt messages using the 23-year-old PGP standard. The day the EFAIL paper was published, GPGTools instructed users to workaround EFAIL by changing a setting in Apple Mail to disable loading remote content. Similarly, the creator of PGP, Phil Zimmermann, co-signed a blog post Thursday stating that EFAIL was "easy to mitigate" by disabling the loading of remote content in GPGTools. But even if you follow this advice and disable remote content, Apple Mail and GPGTools are still vulnerable to EFAIL.
I developed a proof-of-concept exploit that works against Apple Mail and GPGTools even when remote content loading is disabled (German security researcher Hanno Bock also deserves much of the credit for this exploit, more on that below). I have reported the vulnerability to the GPGTools developers, and they are actively working on an update that they plan on releasing soon.
I developed a proof-of-concept exploit that works against Apple Mail and GPGTools even when remote content loading is disabled (German security researcher Hanno Bock also deserves much of the credit for this exploit, more on that below). I have reported the vulnerability to the GPGTools developers, and they are actively working on an update that they plan on releasing soon.
Puts Apple in the headline, even though Apple has nothing to do with this -- the vulnerability is strictly within the open source plugin that people use with Apple Mail.
Additionally he trumpets that it works against systems with "load remote content" turned off... and then buries *way* down his page that his exploit requires that the user clicks a link.
WTF? Clicking links in email has *NEVER* been safe.
Your super amazing "exploit" is that you can con the user into clicking a malicious link and use an already existing vulnerability on that basis? Wow. Welcome to super genius mode, dude.