Mailbox for iOS Has a Huge Security Flaw

By Robert Sorokanich on at

Mailbox, the tidy iOS email app recently purchased by Dropbox, has a pretty wide-open hole that could allow bad actors to hijack your device. And unlike phishing attempts that should probably set off your sketchiness detector, this flaw involves emails that look completely innocuous.

As Italian researcher Michele Spagnuolo shows, the Mailbox app will execute any JavaScript code embedded in the body of an HTML email message. Here he demonstrates how opening a JavaScript-equipped message causes iOS apps to launch autonomously:

While the video demonstrates the flaw by launching some pretty low-key apps, maliciously-coded emails could cause your phone to compromise some very important personal data. There doesn't seem to be a fix for the issue just yet, so if you're using Mailbox on your iOS device, it's probably a good idea to switch to another email app until this problem is sorted. [Michele Spagnuolo via Ars Technica]