Efail, the PGP Encryption Attack Explained

[UPDATE] There are more updates being circulated on the vulnerability stating that it is not present in the standard, but in the way it is implemented. But the attack scenarios remain same. Go through the blog in that mindset.

If you’re active on the Internet and concerned about privacy, probably you must have heard about this new vulnerability, which has affected two of the worlds most popular encryption standards used for Email encryption. Simply said, the vulnerability may enable an attacker to see the actual plaintext of an encrypted email. That sounds crazy, isn’t it? Okay. We’ll dig into deeper. Let me start from the beginning.


Email, as everyone knows, is one of the most popular ways of communications used all around the world. Since the emails exchange sensitive information of all sorts, people expect confidentiality and security over the Internet, and email to be more precise. There are so many technics used to achieve security over the Emails, and one of the most popular and more effective ways of achieving it is through End-to-end encrypted email services. End-to-end encryption (E2EE) provides a significant level of protection for the email you use.


Pretty Good Privacy (PGP) or OpenPGP and Secure/Multipurpose Internet Mail Extensions (S/MIME) are two of the most popular and common standards used to achieve the End-to-end encryption in the emails. They are dominating the Internet for more that two decades.

What is the problem with them?

If we look at the problems faced here, we can break them into TWO.

Attack – 1

Let me explain the first type of attack. The main purpose of this attack is to get the plaintext of an encrypted cipher-text (output of a plaintext being encrypted. Simply gibberish), which means, the attacker gets the details of the encrypted email. For this to happen, there are few things the attacker has to do or have beforehand.

For a successful attack, attacker should be able to gather encrypted emails from the target victim. They may use techniques like Man-in-the-middle, or any other methods to get encrypted emails of a potential victim. Just by getting these emails, attacker is unable to read anything, but here comes the attack, which enabled him to get the data.

The attacker may manipulate the cipher-texts using “malleability gadgets”.Hold on, what does that mean, by the way? If I were to say it in simple terms, it is a technique used to manipulate the cipher-texts as per attackers intend. Once the attacker manipulates the cipher-texts, he/she may send the manipulated email to either the original sender or receiver. And the best part is, the attacker can hide stuff and make the manipulated email look like a legitimate email, which may enable the victim to open it without any suspicion.

Once the victim opens the email, the email client decrypts the email with the private key of the victim. The decrypted mail may have the manipulation, which the attacker created. As an example, it may contain a backchannel (an external HTML hyperlink), which then sends the actual data to the attacker. So, the attacker gets whatever the plaintext (which was already encrypted, and now decrypted) had in the email. This is one scenario of the attack.

Attack – 2

The second scenario of the attack is a little different. It actually takes some parts of the technique used for the first attack and adds a little more stuff to it, and then makes the second one more sophisticated.

Okay! Let me explain.

The first attack enabled the attacker to view or get the plaintext of an encrypted email. In the second attack, the attacker is able to modify (even if he cannot read) whatever the plaintext in the email with attackers’ intend. This may give a false or altered message to the victim or the legitimate user.

This is how it works.

Encryption algorithms use several techniques to check the integrity of an email. They check if an email is accurate or someone has modified it. In other words, it checks if an attacker tampered the email or not. But the problem here is, OpenPGP checks for the integrity but it doesn’t take any actions against it. Ideally, if it finds a tampered email, it should drop it and notify the user. But, OpenPGP decrypts and shows the plaintext message to the user even if it sees any integrity compromises. This vulnerability may enable attackers to modify the email contents, as they want.

So, putting both attacks together, the attacker may actually change certain information in an encrypted email, and he/she can even look at the contents of an encrypted email, because of the vulnerability found in those encryption standards.

Any Fixes? Recommendations? Solutions?

As of now, there is not much we can do. Since the first attack takes advantage of backchannels (external links), we can block all the backchannels, which may aid to restrict any external URL and stuff, which gives certain level of protection. And for the second attack, new patches can be used to instruct the integrity test to drop the email if there is a tampered message is found. That may solve the problem of modification of emails.

Electronic Frontier Foundation (EFF) suggests disabling or uninstalling PGP email plugins for now as a fix. But there are discussions going on stating this wouldn’t help.

Anyway, these methods actually don’t fix the underlying vulnerability. The researchers who found the vulnerability recommend and suggest upgrading the standard itself to fix it completely.

Will that happen?

That is not in our hands. Time has to give an answer for that. But there are so many people out there working hard to find a better solution for this vulnerability.


Researchers have found a critical vulnerability in the popular email encryption standard PGP and S/MIME, which enables attackers to view and modify encrypted emails. There is not much of a permanent fix available right now, and disabling the PGP plugins in the email is considered as a common fix for now. If you need more details, you can visit their website.

If you need more advices, suggestions and services on information security, feel free to contact us. We are happy to guide you and support you in protecting you.

Photo credit: Jana Runde from Ruhr Universty Bochum


Previous ArticleNext Article