Münster University of Applied Sciences signalled on 14th May that PGP and S/MIME have both vulnerabilities enabling the third party to reveal the plain-text of ongoing encrypted email traffic and even access the earlier sent secure emails.
"The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus ex-filtrating the plain-text to the attacker."
The following general advice may apply:
- Remove the installed and automatic PGP and S/MIME services from your email-service until the vulnerability has been patched
- Use other end-to-end email encryption services like Signal
- Wait for detailed analysis and guidance to remedy the services.
- Consider what has been sent earlier using the above encryption and assess the risks if they are revealed.
References
- https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
- https://www.forbes.com/sites/thomasbrewster/2018/05/14/pgp-encrypted-email-vulnerability-exposes-private-messages/#61cbede13e2a
- https://ssd.eff.org/en/module/how-use-signal-ios
- https://efail.de/efail-attack-paper.pdf