Mailbox is a very popular replacement mail app for iOS that apparently auto-executes JavaScript in incoming emails, according to a post by Italian security researcher Michele Spanuolo (@MikiSpag)

Jeremiah Grossman summarized it best: “XSS to account takeover.” Think about it – this app auto-executes any JavaScript received via email. Oops.

I emphasize that this is not Apple’s Mail app included with iOS – it is a third-party app called Mailbox in Apple’s Apple App Store.

Initially, I thought, hey, they’ll fix it soon – they just got a public report on it from Spaguolo’s blog. But Michele has updated the post – @bp_ posted this issue on Twitter in MAY. So they have been sitting on a big hole for months.

This is interesting for two reasons:

  • Apple’s App Store code analysis clearly missed it. Then again, should it have even caught it? The vulnerability doesn’t expose anything on the iOS device itself, and doesn’t violate any of the App Store rules. It also demonstrates that walled gardens, while ‘safer’, aren’t actually ‘safe’. There are entire classes of attacks that likely comply with App Store rules. Like Candy Crush, which is ruining marriages and destroying grades throughout the world. Someone needs to stop the insanity.
  • Enterprises should make damn sure employees aren’t using these services without security vetting. Mailbox is only the start – just look at the many calendar enhancement apps out there. All these little startups use full access to your calendar, mail, contacts, reminders, and social networks to provide a more usable calendar. And almost none of them talk about security in any meaningful way. Rich has been doing some analysis here – they all fail.

Mailbox is now owned by Dropbox (confirmed by the Dropbox copyright on the bottom-left of mailboxapp.com). So either Dropbox didn’t do much appsec due diligence when they bought Mailbox, or they found and ignored it, and now they are on the hook and in the spotlight. A spokesperson for Mailbox said the patch for the auto-execution vulnerability is inbound by end of Wednesday (today), according to that article.

It is interesting to see how software vendors react to such disclosure, but to me the more interesting aspect is the insight into what Apple’s App Store vetting misses…

Share: