Skip to main content

Security researchers show how attackers targeting Airmail for Mac could get a copy of all your emails

Security researchers at Versprite have identified security flaws in Airmail for Mac that can expose private data, including an entire account’s email database. The attack requires a user to open a maliciously crafted email and tap a link inside the message. With a combination of technical exploit and phishing attack, it seems like a significant problem.

You can read the full breakdown of the vulnerabilities on the Versprite blog. Essentially, the researchers noticed that Airmail registers a custom URL scheme that can autonomously send an outbound email with particular content and attachment data.

They also discovered that the mail database where Airmail stores the email messages for an account are located in a ‘deterministic’ location in the file system. An unscrupulous attacker can combine these two pieces of information together.

You can create a link that uses the Airmail URL scheme such that when it is tapped by the recipient, it sends a new email to the ‘hacker’ that attaches all of the mail messages from the user.

It is a pretty big security problem as it stands, although there are some mitigations to consider. For a start, an attacker has to know that someone is using Airmail, and has to get the recipient to click on a link in the email they have sent in order for it to work. This particular attack also will not work if the name of the account is renamed from the default. The attackers identified a related vulnerability that would remove the required user interaction step altogether, but they could not execute it reliably.

If this was exploited in the real world, the malicious link would likely be disguised by some sort of phishing email. Some scary warning like ‘Click here to see an important message from your bank’ would be enough to encourage many people to click through.

Thankfully, there are some obvious ways in which Airmail can defend against these types of exploits so hopefully there will be an update released promptly that addresses the attack vectors.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Benjamin Mayo Benjamin Mayo

Benjamin develops iOS apps professionally and covers Apple news and rumors for 9to5Mac. Listen to Benjamin, every week, on the Happy Hour podcast. Check out his personal blog. Message Benjamin over email or Twitter.


Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications