Nobody wants snoops peeking at their emails. Unfortunately, the newly discovered "Efail" vulnerability could make that a possibility.
On Monday morning, the Electronic Frontier Foundation (EFF) reported that Efail is able to expose HTML emails encrypted with PGP and S/MIME encryption programs -- even those that were sent years ago. These tools are commonly employed by journalists, politicians, and other users who require secure communication.
SEE ALSO: Gmail will soon be writing entire emails for you"In a nutshell, Efail abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs," the researchers write.
"The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker."
In other words, once hackers gain access to your emails, they can use the HTML tags in your emails to prompt mail clients to erroneously decrypt those emails in a way that hackers can access.
So, what should you do?
EFF's recommendation: If you use PGP or S/MIME, disable them, and uninstall the tools that decrypt them.
The security community, however, has claimed these measures aren't necessary.
ProtonMail, for example, claims that many data encryption and decryption services are already patched against Efail. ProtonMail itself has verified that it is not vulnerable to Efail.
Tweet may have been deleted
Dan Guido, CEO of security company Trail of Bits, claims that Efail should be very easy for clients and savvy users to detect.
Tweet may have been deleted
But if you're still worried, you can always opt for plain-text over HTML emails -- or just use Signal like everyone else.
Featured Video For You
Here's 5 tips for Spring cleaning your digital footprint
