Italian security researcher Michele Spagnuolo – who has previously found security flaws in
Google, eBay, MailChimp and Yahoo – discovered that the Mailbox app will execute *any* Javascript which is present in the body of HTML emails.
The makers of the Mailbox app have been aware of the security vulnerability since the end of May 2013, but the vulnerability is still there.
Now Spagnuolo has published a video on his blog, demonstrating how the flaw can be exploited in various ways.
The examples demonstrated are fairly innocuous – largely showing how apps can be automatically opened by just viewing an email in Mailbox, or sending messages via Twitter or SMS (with user confirmation required).
However, it’s easy to imagine how the security hole might be abused to track when users open emails, or exploited in more malicious ways for the purposes of spreading malware or phishing attacks.
The apps automatically opening when the user simply views an email inside the MailBox app. Spagnuolo says that he didn’t have access to a tripod and so couldn’t use a proper camera.Mailbox, of course, was acquired by Dropbox in March of this year.
Although it may not be a surprise for a small firm of app developers not to have spotted this security hole, you would certainly hope that Dropbox – which should be used to protecting the privacy of millions of users with its cloud storage software – would take the issue more seriously.
If you are a Mailbox user who is concerned that pranksters or online criminals might exploit the flaw, then the best advice – until the software is patched – is probably to switch to a different client.
The Mail app which ships with iOS, for instance, does not allow Javascript to execute.
No comments:
Post a Comment