Researchers Discover Vulnerabilities in PGP/GPG Email Encryption Plugins, Users Advised to Avoid for Now

by

A warning has been issued by European security researchers about critical vulnerabilities discovered in PGP/GPG and S/MIME email encryption software that could reveal the plaintext of encrypted emails, including encrypted messages sent in the past.

GPGMail pane
The alert was put out late on Sunday night by professor of computer security Sebastian Schinzel. A joint research paper, due to be published tomorrow at 07:00 a.m. UTC (3:00 a.m. Eastern Time, 12:00 am Pacific) promises to offer a thorough explanation of the vulnerabilities, for which there are currently no reliable fixes.


Details remain vague about the so-called "Efail" exploit, but it appears to involve an attack vector on the encryption implementation in the client software as it processes HTML, rather than a vulnerability in the encryption method itself. A blog post published late Sunday night by the Electronic Frontier Foundation said:

"EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages."

In the meantime, users of PGP/GPG and S/MIME are being advised to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email, and seek alternative end-to-end encrypted channels such as Signal to send and receive sensitive content.

Update: The GPGTools/GPGMail team has posted a temporary workaround against the vulnerability, while MacRumors has compiled a separate guide to removing the popular open source plugin for Apple Mail until a fix for the vulnerability is released. Other popular affected clients include Mozilla Thunderbird with Enigmail and Microsoft Outlook with GPG4win. Click the links for EFF's uninstall steps.

Tags: Encryption, Security

Popular Stories

Apple Announces Special Event in New York Feature 1

Apple Reportedly Plans to Unveil at Least Five New Products Next Week

Sunday February 22, 2026 9:48 am PST by
In his Power On newsletter today, Bloomberg's Mark Gurman said Apple will have a three-day stretch of product announcements from Monday, March 2 through Wednesday, March 4. In total, he expects Apple to introduce "at least five products." A week ago, Apple invited selected journalists and content creators to an "Apple Experience" in New York, London, and Shanghai on Wednesday, March 4 at 9...
Read Full Article140 comments
maxresdefault

iPhone Fold: Launch, Pricing, and What to Expect From Apple's Foldable

Friday February 20, 2026 3:21 am PST by
Apple is expected to launch a new foldable iPhone this year, based on multiple rumors and credible sources. The long-awaited device has been rumored for years now, but signs increasingly suggest that Apple will release its first foldable device in 2026. Subscribe to the MacRumors YouTube channel for more videos. Below, we've collated an updated set of key details that have been leaked about ...
Read Full Article95 comments
Apple Watch 15 Tips Every Owner Needs to Know Feature

Apple Watch: 15 Tips Every Owner Needs to Know

Thursday February 19, 2026 7:38 am PST by
Apple Watch is now eleven generations in, and packed with useful features that are easy to miss at first glance. To help you get more out of your new device, we've rounded up 15 practical tips you might not have discovered yet, including a few that long-time users often overlook. Bounce Between Two Apps On your Apple Watch, double-press the Digital Crown to see a deck of all currently...
Read Full Article35 comments
Low Cost A18 Pro MacBook Feature Pink

Three Upcoming Apple Products Seemingly Spotted in macOS 26.3 Code

Friday February 20, 2026 7:36 am PST by
macOS 26.3 hints at Apple's rumored lower-cost MacBook, and two new Studio Display models, according to Macworld's Filipe Espósito. Espósito found the following codenames within macOS 26.3's source code, and he revealed the upcoming products that they likely correspond with, based on previous reporting from Bloomberg's Mark Gurman and others. The codenames:J700: Lower-cost MacBook J427:...
Read Full Article87 comments
iOS 26

iOS 26.3.1 Update for iPhones Coming Soon as 'Apple Experience' Nears

Sunday February 22, 2026 5:29 pm PST by
Apple's software engineers are testing iOS 26.3.1, according to the MacRumors visitor logs, which have been a reliable indicator of upcoming iOS versions. iOS 26.3.1 should be a minor update that fixes bugs and/or security vulnerabilities, and it will likely be released within the next two weeks. Last month, Apple released iOS 26.2.1 with bug fixes and support for the second-generation...
Read Full Article41 comments

Top Rated Comments

flyinmac Avatar
flyinmac
102 months ago
Hmm.... security protocol creates a vulnerability. To protect yourself, stop encrypting your emails???

Interesting.
Score: 12 Votes (Like | Disagree)
A
arekm
102 months ago
This looks like another clickbait by (almost pseudo) research teams. The problem is within mail software and not PGP encryption standard or tools.

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
Score: 7 Votes (Like | Disagree)
rodpascoe Avatar
rodpascoe
102 months ago
Oh the irony.
Score: 6 Votes (Like | Disagree)
flyinmac Avatar
flyinmac
102 months ago
Hope the alert was not sent by email LOL
Going back to using birds to deliver my messages. Considered pigeons... but I want a bird that can shred anyone who tries to intercept my message. Decided on Hawks.
Score: 4 Votes (Like | Disagree)
Detektiv-Pinky Avatar
Detektiv-Pinky
102 months ago

<snip>
From what I've read, it's a bug in PGP, not mail
I heard differently. It is supposedly a bug affecting any kind of Email encryption using MIME and automatically loading remote content. Also the in-build S/MIME encryption is at risk.
Score: 3 Votes (Like | Disagree)
belvdr Avatar
belvdr
102 months ago
From what I've read, it's a bug in PGP, not mail
It's a problem in the mail user agent (MUA), not PGP/GPG. From the mailing list:

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html


The topic of that paper is that HTML is used as a back channel to create an oracle for modified encrypted mails. It is long known that HTML mails and in particular external links like <img href="tla.org/TAG"/> are evil if the MUA actually honors them (which many meanwhile seem to do again; see all these newsletters). Due to broken MIME parsers a bunch of MUAs seem to concatenate decrypted HTML mime parts which makes it easy to plant such HTML snippets.

There are two ways to mitigate this attack

- Don't use HTML mails. Or if you really need to read them use a
proper MIME parser and disallow any access to external links.

- Use authenticated encryption.
It also appears that some versions of OpenPGP already use authenticated encryption. From what I'm reading, this is a really old bug that many wanted to get fixed, but the MUAs fail to fix it.
Score: 3 Votes (Like | Disagree)
Read All Comments