14 DAY TRIAL // Italian security researcher Michele Spagnuolo has found that Mailbox, the popular iOS email management application, executes any JavaScript code contained in the body of HTML emails. The issue could have some serious security and privacy implications.
“This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and potentially much worse things, especially for jailbroken devices. The app also loads external images without offering an option to disable this behavior,” Spagnuolo wrote in a blog post.
He has even published a proof-of-concept video to demonstrate his findings.
The issue was initially reported to Mailbox (which is now owned by Dropbox) in May by Benjamin Philipp. However, the company hasn’t done anything about it until Wednesday, when the media picked up Spagnuolo’s blog post.
Mailbox says it has implemented a process that strips JavaScript. However, the company noted that attacks leveraging the flaw are “extremely limited” because of how iOS is designed.
“Today we implemented a process that strips javascript from messages before delivering them to mobile devices. This feature is now live on Mailbox servers and filtering new mail. This will be particularly important as we develop for other platforms, where javascript vulnerabilities could be more of an issue,” Mailbox noted.
Shortly after this announcement was made, Spagnuolo revealed that he had found a way to bypass the mitigation implemented by Mailbox.
“Javascript is currently still executed without any user interaction. I will not publicly disclose details - I privately reported details to Mailbox.app and am waiting for a reply,” the expert explained.
Since many have agreed with Mailbox that exploitation of the flaw is limited, Spagnuolo clarified that his report didn’t mean to sound sensational.
“I just highlighted that Mailbox.app blindly executes Javascript in HTML email bodies, and that this is bad, especially for jailbroken devices. I am perfectly aware of the fact vanilla iOS sandboxes applications, and that this limits the impact, but this should not excuse the design choice, which is poor from both a privacy and security point of view,” he said.
“Mailbox.app has gained a considerable user base, and it was not acceptable that it used to load external images without asking the user for permission and, worse, execute Javascript code, which allows even more information leakage.”
Here is the video published by Spagnuolo:
