Sebastian Schinzel, professor of computer security at Germany’s Münster University of Applied Sciences, alongside a team of eight researchers, revealed on Twitter that there are currently no stable fixes for the issues and said the service should not be used until a patch is released.
The Electronic Frontier Foundation (EFF), a digital liberties campaign group, released guides on how to temporarily disable PGP plug-ins in three email clients.
It advised users to disable the use of active content, such as HTML code and the loading of external content, and to secure their email servers against external access. The use of PGP – short for Pretty Good Privacy – for secure communications has been advocated, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the U.S. National Security Agency before fleeing to Russia.
In addition the mails would need to be in HTML format and have active links to external content to be vulnerable, the BSI said. PGP, for example, works using an algorithm to generate a ‘hash’, or mathematical summary, of a user’s name and other information. To exploit the weakness, a hacker would need to have access to an email server or the mailbox of a recipient. This is then encrypted with the sender’s private ‘key’ and decrypted by the receiver using a separate public key.