Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Mailbox for iOS Has a Huge Security Flaw (Update: It's Fixed)

Illustration for article titled Mailbox for iOS Has a Huge Security Flaw (Update: Its Fixed)

Mailbox, the tidy iOS email app recently purchased by Dropbox, has a pretty wide-open hole that could allow bad actors to hijack your device. And unlike phishing attempts that should probably set off your sketchiness detector, this flaw involves emails that look completely innocuous.


As Italian researcher Michele Spagnuolo shows, the Mailbox app will execute any JavaScript code embedded in the body of an HTML email message. Here he demonstrates how opening a JavaScript-equipped message causes iOS apps to launch autonomously:

While the video demonstrates the flaw by launching some pretty low-key apps, maliciously-coded emails could cause your phone to compromise some very important personal data. There doesn't seem to be a fix for the issue just yet, so if you're using Mailbox on your iOS device, it's probably a good idea to switch to another email app until this problem is sorted.


Update: Here's Mailbox's statement on this issue.

Many thanks to the community for continuing to push Mailbox to be as great an app as possible. As others have noted, the risks here are extremely limited thanks to the inter-app security built into iOS. That being said, we're working on an improvement to mail formatting that will mitigate the issue entirely and aim to ship it soon.

2nd Update: on its blog, Mailbox says the problem is now fixed:

[T]oday we implemented a process that strips JavaScript from messages before delivering them to mobile devices. This feature is now live on Mailbox servers and filtering new mail.


[Michele Spagnuolo via Ars Technica]

Share This Story

Get our newsletter


Brent Rose

Which bad actors are we talking about? TV or stage?