yitit
Home
/
Mobile
/
Security Flaws in PGP Can Reveal Emails in Plaintext – Steps to Disable PGP in Apple Mail, Outlook & Thunderbird
Security Flaws in PGP Can Reveal Emails in Plaintext – Steps to Disable PGP in Apple Mail, Outlook & Thunderbird-February 2024
Feb 12, 2026 3:14 AM

Security researchers have discovered and warned against vulnerabilities in PGP/GPG and S/MIME email encryption standards that could be used by malicious actors. These security flaws could essentially reveal encrypted emails in plaintext even if they were sent in the past. The attacks rely on the attacker to be in possession of the encrypted emails and can trick either the sender or the recipient to open an invisible snippet of the intercepted messages in a new email.

Pretty Good Privacy (PGP) is a popular open source end-to-end encryption standard that is used to encrypt emails to protect them against snooping. Secure/Multipurpose Internet Mail Extensions (S/MIME) is an alternative end-to-end encryption standard that is used to secure corporate email communication.

While some believe these vulnerabilities are overblown since they require the attacker to already be in a privileged position, various security experts have advised users to uninstall PGP and S/MIME until fixes are made available. Researchers are advising users to rely on end-to-end encrypted messaging apps instead, in the meantime.In its statement, the Electronic Frontier Foundation said:

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

What we know right now about eFail encryption flaws in OpenPGP and S/MIME encryption standards

Attackershaving accessto encrypted emailscan use these vulnerabilities to exfiltrateemails in plaintext by embedding invisible snippets of text in new emails and getting email plaintexts open in on an attacker-controlled server.Dubbing the series of flaws that make this attack possible as eFail, researchers said that some of these security vulnerabilities are a decade-old.

"In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs," researchers explained.

To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

After changing an encrypted email in a particular way, attackers will send this modified encrypted email to the victim. The victim's email client decrypts the email and loads any external content (added by the attacker), thus exfiltrating the plaintext to the attacker.

In their paper, researchers noted that "while it is necessary to change the OpenPGP and S/MIME standards to fix these vulnerabilities, some clients had even more severe implementation flaws allowing straightforward exfiltration of the plaintext."

Most details are available over on the official site, but researchers added that Apple Mail, iOS Mail and Mozilla Thunderbird are the worst affected as they have "even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute."

How to disablePGP in Apple Mail, Thunderbird and Outlook

Here are the steps to temporarily disable PGP plug-ins to avoid exposure until these flaws are fixed.

1- Apple Mail

Open Mail and quit it throughMail>Quit Mail.Click on the Finder icon in the dock.openpgpIn the Finder menu bar, select Go> Go to Folder...In thedialogbox, type or copy paste /Library/Mail/Bundles (or ~/Library/Mail/Bundles) and click Go.Trash the "GPGMail.mailbundle" file by either dragging it to the trash icon on the dock or by right-clicking it and selecting Move to Trash.If you are asked for the admin password, enter it to confirm the action.

2. Thunderbird

Click on the hamburger menu and selectAdd-onsfrom the right panel of the menu.In the new Add-ons Manager tab that will now open, click onDisablein the Enigmailrow.

3. Outlook

(via EFF)

Download and open Gpg4win.On the intro page, clickNext.On the second screen, keep everything as it but uncheck“GpgOL” from the options. (This means it will install without Outlook integration)Now, clickInstallbutton and thenFinish.

For more technical details, see:Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels (draft 0.9.0)

Comments
Welcome to yitit comments! Please keep conversations courteous and on-topic. To fosterproductive and respectful conversations, you may see comments from our Community Managers.
Sign up to post
Sort by
Login to display more comments
Mobile
Recent News
Mr.
Mr.
select 198766*667891 from DUAL
select 198766*667891 from DUAL
select 198766*667891
select 198766*667891
@@GN7yA
@@GN7yA
About
Terms and Conditions Privacy policy Cookie Settings Contact Us
Services
Login register
yitit Hardware Computing Mobile Finance Software Deals
Links
zpostcode Recruit weather mreligion Yellowpages sport constellation shopping name game directory literature Word tour furnish Lottery tftnews lyrics News digital car dir Edu Finance
Copyright 2023-2026 - www.yitit.com All Rights Reserved