Mailboxapp makes changes after security flaw

222 views

Published on

Visit http://www.latestdigitals.com for the latest digital and technology news.

A popular iOS application for managing Google Mail inboxes has disabled JavaScript from running within HTML emails after a security flaw was found.

The flaw, which means an attacker could potentially run code from within the body of an email on the user’s phone, was discovered in Mailbox.app by independent security researcher, Michele Spagnuolo.

He also demonstrated in a video how this code can be used to open apps and send texts and emails.

Bad for security and privacy

In his blog, he said: “This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and potentially much worse things, especially for jailbroken devices.”

While this may seem innocuous, Spagnuolo added in a comment on the tech blogging site Ars Technica that even though apps are protected from affecting the wider operating system (through a method known as ‘sandboxing’), this has been broken on more than one occasion, once where Mobile Safari was hacked to transmit the user’s SMS database to a remote server, and again when a website was launched that allowed users to remotely jailbreak their phones via a website.

Mailbox responds

Mailbox responded a few days later by issuing a fix on their servers which filters out JavaScript, and issued a statement via their blog: “Yesterday evening a security blogger raised concern about Mailbox running javascript within HTML email messages. As many have noted, the real risks presented by running javascript within Mailbox are extremely limited thanks to how iOS is designed.”

That being said, today we implemented a process that strips javascript from messages before delivering them to mobile devices. This feature is now live on Mailbox servers and filtering new mail. This will be particularly important as we develop for other platforms, where javascript vulnerabilities could be more of an issue.”

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
222
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mailboxapp makes changes after security flaw

  1. 1. Mailbox.app makes changes after security flaw www.latestdigitals.com
  2. 2. Mailbox.app makes changes after security flaw www.latestdigitals.com Mailbox.app makes changes after security flaw For the latest tech news, visit www.latestdigitals.com everyday!
  3. 3. Mailbox.app makes changes after security flaw www.latestdigitals.com
  4. 4. Mailbox.app makes changes after security flaw www.latestdigitals.com A popular iOS application for managing Google Mail inboxes has disabled JavaScript from running within HTML emails after a security flaw was found. The flaw, which means an attacker could potentially run code from within the body of an email on the user‟s phone, was discovered in Mailbox.app by independent security researcher, Michele Spagnuolo. He also demonstrated in a video how this code can be used to open apps and send texts and emails.
  5. 5. Mailbox.app makes changes after security flaw www.latestdigitals.com Bad for security and privacy
  6. 6. Mailbox.app makes changes after security flaw www.latestdigitals.com In his blog, he said: “This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and potentially much worse things, especially for jailbroken devices.”
  7. 7. Mailbox.app makes changes after security flaw www.latestdigitals.com While this may seem innocuous, Spagnuolo added in a comment on the tech blogging site Ars Technica that even though apps are protected from affecting the wider operating system (through a method known as „sandboxing‟), this has been broken on more than one occasion, once where Mobile Safari was hacked to transmit the user‟s SMS database to a remote server, and again when a website was launched that allowed users to remotely jailbreak their phones via a website.
  8. 8. Mailbox.app makes changes after security flaw www.latestdigitals.com Mailbox responds
  9. 9. Mailbox.app makes changes after security flaw www.latestdigitals.com Mailbox responded a few days later by issuing a fix on their servers which filters out JavaScript, and issued a statement via their blog: “Yesterday evening a security blogger raised concern about Mailbox running javascript within HTML email messages. As many have noted, the real risks presented by running javascript within Mailbox are extremely limited thanks to how iOS is designed.”
  10. 10. Mailbox.app makes changes after security flaw www.latestdigitals.com That being said, today we implemented a process that strips javascript from messages before delivering them to mobile devices. This feature is now live on Mailbox servers and filtering new mail. This will be particularly important as we develop for other platforms, where javascript vulnerabilities could be more of an issue.”
  11. 11. Mailbox.app makes changes after security flaw www.latestdigitals.com For the latest tech news, visit www.latestdigitals.com everyday!

×