Popular iPhone Mailbox App Security Flaw Fixed

Sue Marquette Poremba
Slide Show

Survey Shows Majority of Companies Are Vulnerable to BYOD Risks

Did you know that the Mailbox iPhone app had a serious security flaw?

I first heard about it when I logged on to my email this morning, and found this note from Kevin O’Brien, enterprise solution architect at CloudLock:

An Italian software engineer revealed that a significant security flaw exists in the popular Mailbox application that many users of iOS devices rely on for mail access. The report that was released demonstrated that maliciously formed emails received by end-users of the incredibly popular Mailbox app can be used to execute arbitrary code, exposing both the device and the account associated with it to a wide range of potential risks, including the complete compromise of any sensitive data stored within them.

No, I hadn’t heard that, so I went to investigate a little further. Security expert Graham Cluley posted this on his blog:

Italian security researcher Michele Spagnuolo – who has previously found security flaws in Google, eBay, MailChimp and Yahoo – discovered that the Mailbox app will execute any Javascript which is present in the body of HTML emails. The makers of the Mailbox app have been aware of the security vulnerability since the end of May 2013, but the vulnerability is still there.

The blog was published late yesterday afternoon. Other articles I saw as I investigated the story added an update: The problem has been fixed. At first glance, it’s easy to be impressed. Problem was made public yesterday; problem fixed in a matter of hours. But then you take a second look at what Cluley wrote – that Mailbox, which is owned by Dropbox, has been aware of the vulnerability for several months. In fact, Infosecurity shared a Twitter exchange from May, where a Twitter user reported the Javascript problem and Mailbox responded with “We’re working on it!”

This story is a good reminder that most vulnerabilities and security flaws are a problem long before the news reaches the general public, and it may be that negative publicity that spurs the software developers to provide a fix.

Add Comment      Leave a comment on this blog post
Oct 13, 2013 4:51 AM Mac Review Mac Review  says:
This is seriously alarming, especially that the main reason why people buy their gadgets is because of security against viruses and hackers. I've always doubt syncing private files in iCloud - for now, I will pass with the idea. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.