Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates above to be notified as soon as we publish an advisory.

7:30am, 15 May 2018

TLP Rating: White

What's happening

Systems affected

Email clients that display emails encrypted with S/MIME or OpenPGP standards.

Exploiting this vulnerability requires the email client to allow backchannels, such as HTML, CSS, or x509 requests.

All messages that have been sent using S/MIME or OpenPGP standards may be at risk. It relies on an attacker collecting a copy of the encrypted email. There is no way to confirm if these emails have been collected or by whom.

What this means

The plaintext content of encrypted emails can be leaked by email clients.

How the vulnerability could be exploited:

  • The attacker collects encrypted emails. This can be collected in multiple ways, such as through a man-in-the-middle attack or by accessing the SMTP server.
  • The attacker manipulates the email and uses specific attack techniques in order to inject malicious messages into the encrypted email, and remove encryption integrity checks. This message includes an exfiltration channel (for example, HTML hyperlink) that will send the decrypted plaintext to the attacker.
  • The altered email is then sent to either the sender or receiver, still encrypted with their public keys. The attacker may take steps to disguide the manipulated message, and the email may contain new FROM, DATA, and SUBJECT fields in order to make the email appear unsuspicious.
  • If the email is decrypted and opened in an affected mail client, and the mail client allows the backchannel to be opened, then the data is exfiltrated through the backchannel.

What to look for

How to tell if you're at risk

If you receive S/MIME or OpenPGP encrypted emails, and your mail client allows backchannels such as HTML remote resources, you are at risk of having these emails compromised.

What to do


CERT NZ is not aware of any active attacks. However, we strongly recommend you:

  1. block all backchannels used in your email client and only load emails in plaintext. Backchannels include any outbound calls that are made in order to receive and render content in the email message. Research has shown vulnerable backchannels are HTML, CSS, JavaScript, and PKI (x509) requests. We recommend all backchannels are blocked as research is still developing.
  2. stay informed of your email client’s patch notifications. Although the OpenPGP and S/MIME standards have not been updated to fix this vulnerability, it is important to stay informed. Once the standard has been updated, email clients may release a patch to close this vulnerability.

More information

Read the details about this vulnerability at External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media queries, contact