A serious vulnerability has been revealed in the popular Mailbox iPhone app, used by many hipsters as a replacement for the traditional Apple or Gmail apps on their iPhones and iPads.
Italian security researcher Michele Spagnuolo – who has previously found security flaws in Google, eBay, MailChimp and Yahoo – discovered that the Mailbox app will execute *any* Javascript which is present in the body of HTML emails.
The makers of the Mailbox app have been aware of the security vulnerability since the end of May 2013, but the vulnerability is still there.
Now Spagnuolo has published a video on his blog, demonstrating how the flaw can be exploited in various ways.
The examples demonstrated are fairly innocuous – largely showing how apps can be automatically opened by just viewing an email in Mailbox, or sending messages via Twitter or SMS (with user confirmation required).
However, it’s easy to imagine how the security hole might be abused to track when users open emails, or exploited in more malicious ways for the purposes of spreading malware or phishing attacks.
In Spagnuolo’s own words, it’s “bad”:
This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, using an exploiting framework, potentially much worse things.
Admittedly, the quality of video showing the flaw in action is not tremendous – but it is possible to see apps automatically opening when the user simply views an email inside the MailBox app. Spagnuolo says that he didn’t have access to a tripod and so couldn’t use a proper camera.
The video quality is pretty low – unfortunately I have no tripod and couldn’t use my proper camera, so I used a Logitech webcam to record it and focus is not really good.
Mailbox, of course, was acquired by Dropbox in March of this year.
Although it may not be a surprise for a small firm of app developers not to have spotted this security hole, you would certainly hope that Dropbox – which should be used to protecting the privacy of millions of users with its cloud storage software – would take the issue more seriously.
If you are a Mailbox user who is concerned that pranksters or online criminals might exploit the flaw, then the best advice – until the software is patched – is probably to switch to a different client.
The Mail app which ships with iOS, for instance, does not allow Javascript to execute.
Update: Mailbox’s PR team have been in touch and – understandably – are attempting to downplay the potential seriousness of the security flaw. Here’s what they told me:
Many thanks to the community for continuing to push Mailbox to be as great an app as possible. As others have noted, the risks here are extremely limited thanks to the inter-app security built into iOS. That being said, we’re working on an improvement to mail formatting that will mitigate the issue entirely and aim to ship it soon.