IT experts in Germany and Belgium have identified a dangerous security flaw in email encryption services, Sebastian Schnitzler, professor for computer safety at the Muenster Technical College, warned on Monday.
Writing on Twitter, Schnitzler drew attention to "critical weaknesses" in PGP/GPG and S/MIME email encryption services which threaten the security of personal information from hackers. Schnitzler said he and other researchers at the Ruhr University Bochum and KU Leuven (the Catholic University of Leuven) had discovered two pathways through which hackers could access the original text of encrypted emails.
The academics recommended to government authorities and companies to refrain from using the affected encryption services until updates were released which closed the loophole. Warnings of the security flaw have been widely-publicized in German media reports being called an "#Efail".
Reacting to the news on Monday, the German Federal Office for Information Security (BSI) highlighted, however, that "#Efail" only posed a threat to users of email encryption services under certain circumstances. In order to succeed, hackers needed to have prior access to the transport route, mail server or email post-box.
Additionally, the flaw is limited to cases where recipients have activated settings enabling the execution of HTML code and the re-loading of external content. As a consequence, PGP/GPG and S/MIME encryption services could still be used without concern as long as they were "correctly implemented" and "configured safely."