The Italian security researcher Michele Spagnuolo – who has previously found security flaws in Google, eBay, MailChimp and Yahoo – discovered that the Mailbox app will execute *any* JavaScript which is present in the body of HTML emails.This is the very serious vulnerability has been revealed in the popular iPhone Mailbox app, used by many hipsters as a replacement for the traditional Apple or Gmail apps on their iPhones and iPads.
Mailbox is an iOS email app recently purchased by Dropbox, This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and potentially much worse things, especially for jailbroken devices. The app also loads external images without offering an option to disable this behavior.
Spagnuolo published a video demonstration
In App Store the latest version of Mailbox (1.6.2) is available, that can executes any JavaScript which is present in the body of HTML emails.
Mailbox published a statement regarding this "Today we implemented a process that strips JavaScript from messages before delivering them to mobile devices. This feature is now live on Mailbox servers and filtering new mail. This will be particularly important as we develop for other platforms, where JavaScript vulnerabilities could be more of an issue.As always, thanks for joining us on the road to build the world’s best inbox."
No comments:
Post a Comment