Security flaw allows unwanted code execution in Mailbox app
An Italian computer engineer has reportedly discovered that the popular Mailbox iOS app, which was acquired by Dropbox earlier this year, suffers from a potentially serious vulnerability that may allow malicious e-mails to wreak all sorts of havoc on your device. Macworld has confirmed that the flaw occurs in the latest version of Dropbox (1.6.2) currently available from the App Store.
According to Novara-based Michele Spagnuolo, the flaw allows JavaScript code to be embedded and executed from inside an HTML message; because Mailbox doesn’t filter the data stored in the messages it displays, the code can be executed without any user intervention whatsoever. As Spagnuolo shows in a short video he shot for the occasion, this means that simply opening an e-mail message could cause a different app to be launched, and could allow third parties to foil “advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, […] potentially much worse things” on unsuspecting users.
The root cause of the problem is likely the fact that Mailbox uses a special Apple-provided control, called a webview, to render HTML messages. Since webviews are essentially self-contained versions of Safari, they also inherit all of the browser’s capabilities—including support for executing JavaScript code.
The good news is that the problem is probably not as bad as it looks. The same issues that Spagnuolo highlights affect Safari itself, and were designed by Apple to provide some level of interoperability between Web pages and apps, like when an iTunes preview page automatically launches the App Store app.
To read this article in full or to leave a comment, please click here
http://www.macworld.com/article/2049389/security-flaw-allows-unwanted-code-execution-in-mailbox-app.html#tk.rss_all
