Popular iPhone Mailbox App Security Flaw Fixed

    Slide Show

    Survey Shows Majority of Companies Are Vulnerable to BYOD Risks

    Did you know that the Mailbox iPhone app had a serious security flaw?

    I first heard about it when I logged on to my email this morning, and found this note from Kevin O’Brien, enterprise solution architect at CloudLock:

    An Italian software engineer revealed that a significant security flaw exists in the popular Mailbox application that many users of iOS devices rely on for mail access. The report that was released demonstrated that maliciously formed emails received by end-users of the incredibly popular Mailbox app can be used to execute arbitrary code, exposing both the device and the account associated with it to a wide range of potential risks, including the complete compromise of any sensitive data stored within them.

    No, I hadn’t heard that, so I went to investigate a little further. Security expert Graham Cluley posted this on his blog:

    Italian security researcher Michele Spagnuolo – who has previously found security flaws in Google, eBay, MailChimp and Yahoo – discovered that the Mailbox app will execute any Javascript which is present in the body of HTML emails. The makers of the Mailbox app have been aware of the security vulnerability since the end of May 2013, but the vulnerability is still there.

    The blog was published late yesterday afternoon. Other articles I saw as I investigated the story added an update: The problem has been fixed. At first glance, it’s easy to be impressed. Problem was made public yesterday; problem fixed in a matter of hours. But then you take a second look at what Cluley wrote – that Mailbox, which is owned by Dropbox, has been aware of the vulnerability for several months. In fact, Infosecurity shared a Twitter exchange from May, where a Twitter user reported the Javascript problem and Mailbox responded with “We’re working on it!”

    This story is a good reminder that most vulnerabilities and security flaws are a problem long before the news reaches the general public, and it may be that negative publicity that spurs the software developers to provide a fix.

    Sue Poremba
    Sue Poremba
    Sue Poremba is freelance writer based on Central PA. She's been writing about cybersecurity and technology trends since 2008.

    Latest Articles