Vulnerability: Javascript Allowed to Run in the Mailbox iOS App

Michele Spagnuolo, an Italian computer engineer currently studying for a Master in Computer Engineering in Milan, revealed a major flaw in the popular iOS Mailbox app on Tuesday. In a nutshell, Mailbox allowed (past tense, since it has now been fixed) javascript embedded in an email to run on the mobile device.

Spagnuolo has a history of responsible disclosure. So far this year alone he has been awarded more than $8000 in Google security awards and appears on the Nokia and Mailchimp halls of fame, and on the eBay responsible disclosure acknowledgements page. In this instance he chose not to disclose responsibly, but posted video proof on his website.

"This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, using an exploitation framework, potentially much worse things", he explained. "The app also loads external images without offering an option to disable this behavior."

The story was picked up by numerous publications and bloggers. Independent security researcher Graham Cluley, for example, wrote, "Although it may not be a surprise for a small firm of app developers not to have spotted this security hole, you would certainly hope that Dropbox – which should be used to protecting the privacy of millions of users with its cloud storage software – would take the issue more seriously." Dropbox acquired Mailbox back in March, but said at the time it would keep the development teams separate.

Following the publicity, Mailbox quickly released an acknowledgement statement playing down the flaw: "As others have noted, the risks here are extremely limited thanks to the inter-app security built into iOS. That being said, we’re working on an improvement to mail formatting that will mitigate the issue entirely and aim to ship it soon." Mailbox told Ars Technica within two hours of its own account that a fix would probably be available before the end of Wednesday.

Indeed, before the end of Wednesday Mailbox published a brief note on its own blog: "today we implemented a process that strips javascript from messages before delivering them to mobile devices. This feature is now live on Mailbox servers and filtering new mail."

Spagnuolo was not the first to find and report the flaw (which he acknowledges). On 29 May 2013 Ben (@bp_) tweeted: "@mailbox Any plans on preventing Javascript in mail body being executed?"

Mailbox responded, "@bp_ Good question. We're working on it!" But nothing actually happened for months – until Spagnuolo blogged and demonstrated the same flaw; and the media added publicity.

What’s Hot on Infosecurity Magazine?