TechHive: Security flaw allows unwanted code execution in Mailbox app

TechHive
TechHive helps you find your tech sweet spot. We guide you to products you'll love and show you how to get the most out of them. 
Manage your social media

Best social media tool for image publishing to Facebook and Twitter. Look amazing and delight your followers. Get 40% off when you sign up today.
From our sponsors
thumbnail Security flaw allows unwanted code execution in Mailbox app
Sep 25th 2013, 18:35, by Marco Tabini

An Italian computer engineer has reportedly discovered that the popular Mailbox iOS app, which was acquired by Dropbox earlier this year, suffers from a potentially serious vulnerability that may allow malicious e-mails to wreak all sorts of havoc on your device. Macworld has confirmed that the flaw occurs in the latest version of Mailbox (1.6.2) currently available from the App Store.

According to Novara-based Michele Spagnuolo, the flaw allows JavaScript code to be embedded and executed from inside an HTML message; because Mailbox doesn't filter the data stored in the messages it displays, the code can be executed without any user intervention whatsoever. As Spagnuolo shows in a short video he shot for the occasion, this means that simply opening an e-mail message could cause a different app to be launched, and could allow third parties to foil "advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, […] potentially much worse things" on unsuspecting users.

The root cause of the problem is likely the fact that Mailbox uses a special Apple-provided control, called a webview, to render HTML messages. Since webviews are essentially self-contained versions of Safari, they also inherit all of the browser's capabilities—including support for executing JavaScript code.

The good news is that the problem is probably not as bad as it looks. The same issues that Spagnuolo highlights affect Safari itself, and were designed by Apple to provide some level of interoperability between Web pages and apps, like when an iTunes preview page automatically launches the App Store app.

To read this article in full or to leave a comment, please click here

You are receiving this email because you subscribed to this feed at blogtrottr.com.

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions
Previous
Next Post »