Researchers have announced that a serious flaw has been found in the technology people rely on to send encrypted emails. The flaw found in PGP/GPG and S/MIME email encryption software potentially lets others view sent messages in plain text. However, it’s important to note that the PGP (Pretty Good Privacy) flaw isn’t in the core protocol of PGP, reports the BBC. Instead, the flaw is in various email programs that failed to check for “decryption errors properly before following links in emails that included HTML code.”
Right now there is no fix for the flaw, but there are steps PGP users can take to mitigate the risks. The Electronic Frontier Foundation (EFF) advises to immediately disable all email tools that automatically decrypt PGP. A website has also been set up that advises PGP users to disable HTML renderings in emails sent via PGP as that will close the most prominent way of taking advantage of the vulnerability.
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4
— Sebastian Schinzel (@seecurity) May 14, 2018