Mailbox iPhone app suffers from serious Javascript flaw, researcher discovers

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Mailbox appA serious vulnerability has been revealed in the popular Mailbox iPhone app, used by many hipsters as a replacement for the traditional Apple or Gmail apps on their iPhones and iPads.

Italian security researcher Michele Spagnuolo – who has previously found security flaws in Google, eBay, MailChimp and Yahoo – discovered that the Mailbox app will execute *any* Javascript which is present in the body of HTML emails.

The makers of the Mailbox app have been aware of the security vulnerability since the end of May 2013, but the vulnerability is still there.

Now Spagnuolo has published a video on his blog, demonstrating how the flaw can be exploited in various ways.

The examples demonstrated are fairly innocuous – largely showing how apps can be automatically opened by just viewing an email in Mailbox, or sending messages via Twitter or SMS (with user confirmation required).

However, it’s easy to imagine how the security hole might be abused to track when users open emails, or exploited in more malicious ways for the purposes of spreading malware or phishing attacks.

In Spagnuolo’s own words, it’s “bad”:

This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, using an exploiting framework, potentially much worse things.

Admittedly, the quality of video showing the flaw in action is not tremendous – but it is possible to see apps automatically opening when the user simply views an email inside the MailBox app. Spagnuolo says that he didn’t have access to a tripod and so couldn’t use a proper camera.

The video quality is pretty low – unfortunately I have no tripod and couldn’t use my proper camera, so I used a Logitech webcam to record it and focus is not really good.

Mailbox, of course, was acquired by Dropbox in March of this year.

Although it may not be a surprise for a small firm of app developers not to have spotted this security hole, you would certainly hope that Dropbox – which should be used to protecting the privacy of millions of users with its cloud storage software – would take the issue more seriously.

If you are a Mailbox user who is concerned that pranksters or online criminals might exploit the flaw, then the best advice – until the software is patched – is probably to switch to a different client.

Sign up to our free newsletter.
Security news, advice, and tips.

The Mail app which ships with iOS, for instance, does not allow Javascript to execute.

Update: Mailbox’s PR team have been in touch and – understandably – are attempting to downplay the potential seriousness of the security flaw. Here’s what they told me:

Many thanks to the community for continuing to push Mailbox to be as great an app as possible. As others have noted, the risks here are extremely limited thanks to the inter-app security built into iOS. That being said, we’re working on an improvement to mail formatting that will mitigate the issue entirely and aim to ship it soon.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.