A critical vulnerability has been discovered in PGP and S/MIME email encryption plugins like, Thunderbird with Enigmail, Apple Mail with GPGTools, and Outlook with Gpg4win. The EFF’s advice is to uninstall or disable these until further notice. [The EFF.]

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such asSignal, and temporarily stop sending and especially reading PGP-encrypted email.

Update: To be clear this is not a flaw in PGP itself, rather in it’s implementation in the above plugins.