Using Mailbox for iOS? There's a JavaScript security hole to beware of

A potentially serious security flaw in iOS email app Mailbox is being investigated. Michael Spagnuolo, an Italian computer engineer writes about discovering that the app automatically executes any JavaScript that might be embedded in the body of an email.

Michael has recorded a video demonstrating a few proofs of concept which leaves iPad and iPhone users open to potential attack. His example scenarios are purposefully harmless -- he has opted to show how opening an email could lead to an app being opened without permission or instigate a tweet or SMS (although it is not sent without confirmation) -- but the security hole is going to make many users feel uneasy.

Michael writes: "This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, using an exploiting framework, potentially much worse things".

What’s particularly concerning about this is that it could be exploited in conjunction with a specially coded app to wreak unknown damage. This would obviously mean that a compromised app would have to find its way into the App Store or a third party app would have to be installed on a jailbroken device, but it is still a worrying possibility.

Update: A spokeperson for Mailbox contacted me to say: "Many thanks to the community for continuing to push Mailbox to be as great an app as possible. As others have noted, the risks here are extremely limited thanks to the inter-app security built into iOS. That being said, we're working on an improvement to mail formatting that will mitigate the issue entirely and aim to ship it soon".

Photo Credit: Balefire/Shutterstock

Comments are closed.

© 1998-2017 BetaNews, Inc. All Rights Reserved. Privacy Policy.