Visit http://www.latestdigitals.com for the latest digital and technology news.
A popular iOS application for managing Google Mail inboxes has disabled JavaScript from running within HTML emails after a security flaw was found.
The flaw, which means an attacker could potentially run code from within the body of an email on the user’s phone, was discovered in Mailbox.app by independent security researcher, Michele Spagnuolo.
He also demonstrated in a video how this code can be used to open apps and send texts and emails.
Bad for security and privacy
In his blog, he said: “This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and potentially much worse things, especially for jailbroken devices.”
While this may seem innocuous, Spagnuolo added in a comment on the tech blogging site Ars Technica that even though apps are protected from affecting the wider operating system (through a method known as ‘sandboxing’), this has been broken on more than one occasion, once where Mobile Safari was hacked to transmit the user’s SMS database to a remote server, and again when a website was launched that allowed users to remotely jailbreak their phones via a website.
Mailbox responds
Mailbox responded a few days later by issuing a fix on their servers which filters out JavaScript, and issued a statement via their blog: “Yesterday evening a security blogger raised concern about Mailbox running javascript within HTML email messages. As many have noted, the real risks presented by running javascript within Mailbox are extremely limited thanks to how iOS is designed.”
That being said, today we implemented a process that strips javascript from messages before delivering them to mobile devices. This feature is now live on Mailbox servers and filtering new mail. This will be particularly important as we develop for other platforms, where javascript vulnerabilities could be more of an issue.”
2. Mailbox.app makes changes after security flaw
www.latestdigitals.com
Mailbox.app
makes changes
after security flaw
For the latest tech news, visit
www.latestdigitals.com
everyday!
4. Mailbox.app makes changes after security flaw
www.latestdigitals.com
A popular iOS application for managing Google
Mail inboxes has disabled JavaScript from running
within HTML emails after a security flaw was found.
The flaw, which means an attacker could
potentially run code from within the body of an
email on the user‟s phone, was discovered in
Mailbox.app by independent security researcher,
Michele Spagnuolo.
He also demonstrated in a video how this code
can be used to open apps and send texts and
emails.
6. Mailbox.app makes changes after security flaw
www.latestdigitals.com
In his blog, he said: “This is bad for security and
privacy, because it allows advanced spam
techniques, tracking of user actions, hijacking the
user by just opening an email, and potentially much
worse things, especially for jailbroken devices.”
7. Mailbox.app makes changes after security flaw
www.latestdigitals.com
While this may seem innocuous, Spagnuolo added
in a comment on the tech blogging site Ars
Technica that even though apps are protected
from affecting the wider operating system (through
a method known as „sandboxing‟), this has been
broken on more than one occasion, once where
Mobile Safari was hacked to transmit the user‟s SMS
database to a remote server, and again when a
website was launched that allowed users to
remotely jailbreak their phones via a website.
9. Mailbox.app makes changes after security flaw
www.latestdigitals.com
Mailbox responded a few days later by issuing a fix
on their servers which filters out JavaScript, and
issued a statement via their blog: “Yesterday
evening a security blogger raised concern about
Mailbox running javascript within HTML email
messages. As many have noted, the real risks
presented by running javascript within Mailbox are
extremely limited thanks to how iOS is designed.”
10. Mailbox.app makes changes after security flaw
www.latestdigitals.com
That being said, today we implemented a process
that strips javascript from messages before
delivering them to mobile devices. This feature is
now live on Mailbox servers and filtering new mail.
This will be particularly important as we develop for
other platforms, where javascript vulnerabilities
could be more of an issue.”
11. Mailbox.app makes changes after security flaw
www.latestdigitals.com
For the latest tech news, visit
www.latestdigitals.com
everyday!