When 'tptacek first heard of efail, we were both in the office, he called me over and said "if there was a disastrous GPG bug that fails in way $X, what would it look like" and my first answer was "of course it's that MDCs don't actually work and the packet stream is malleable and something is going to consume unauthenticated plaintext". That's not because I'm some sort of genius: it's because to anyone who has studied the protocol and has a cryptographic background, those flaws are glaring.
That matters because I think it's reasonable to blame a protocol when it is indisputably flawed (there is no debate about MDCs not being a MAC, there is no debate that authenticated encryption is important) and it turns out those flaws all but imply vulns.
It's just the old HTML email tracking image bug used to get out entire messages. Nothing really new or interesting past that. This is routinely exploited and is why those that are interested in privacy should avoid HTML mail.
