News

Bug renders encrypted Apple Mail messages easy to decipher

Launch Mail

Researchers have discovered bugs in Apple Mail’s HTML rendering on Mac as well as iOS in addition to Mozilla Thunderbird. These flaws make it possible for attackers to mine plain text from mail messages that were originally sent as encrypted text.

Many businesses rely on PGP and S/MIME encrypted email to keep communications confidential.

The main issue that affects Apple Mail, Mozilla Thunderbird’s client and iOS Mail is a system that utilises multipart responses to take advantage of issues with HTML rendering.

To put it differently: if a hacker gets hold of someone’s encrypted email, they can send that encrypted text back to the user and thereby disclose the unencrypted plain text format without ever requiring the sender’s confidential encryption keys.

Basically, the hacker would have to send three parts: an encrypted text string, an incomplete HTML tag declaration, and the final HTML to close the image tag.

What happens next is that the Mail client decrypts the cypher text, and then renders is as the bogus picture’s source URL.

When the recipient opens the email using their own email client, it will then try to load the URL to open the image. The hacker’s server logs this request, and it then has its own copy of the now unencrypted content. Naturally, the domain forming part of the URL has to be controlled by the hacker to do this, for instance, efail.de.

The only permanent way to resolve this is via a software update, which is undoubtedly in the pipeline. Until then, users can respond by disabling ‘Load remote content in messages’ under Mail Preferences for Mac or Apple Mail. On iOS, this is under ‘iOS Settings and called ‘Load Remote Images’.
You could also completely try removing the PGP keys from the email client, so the app cannot decrypt encoded strings at all.

Tags

About the author

Chris

I've been a passionate evangelist for Apple and the Macintosh throughout my working life, my first love was a Quadra 605 working with a small creative agency in the south of Norfolk UK in the mid 1990's, I later progressed to other roles in other Macintosh dominated industries, first as a Senior graphic designer at a small printing company and then a production manager at Guardian Media Group. As the publishing and printing sector wained I moved into Internet Marketing and in 2006 co-founded blurtit.com which grew to become one the top 200 visited sites in the US (according to Quantcast), at its peak receiving over 15 million visits per month. For the last ten years I have worked as an Affiliate and Consultant to many different business and start ups, my key skill set being online marketing, on page monetisation, landing page optimisation and traffic generation, if you would like to hire me or discuss your current project please reach out to me here.

You can also follow me on: and

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.