Security researchers at Versprite have identified security flaws in Airmail for Mac that can expose private data, including an entire account’s email database. The attack requires a user to open a maliciously crafted email and tap a link inside the message. With a combination of technical exploit and phishing attack, it seems like a significant problem.

You can read the full breakdown of the vulnerabilities on the Versprite blog. Essentially, the researchers noticed that Airmail registers a custom URL scheme that can autonomously send an outbound email with particular content and attachment data.

They also discovered that the mail database where Airmail stores the email messages for an account are located in a ‘deterministic’ location in the file system. An unscrupulous attacker can combine these two pieces of information together.

You can create a link that uses the Airmail URL scheme such that when it is tapped by the recipient, it sends a new email to the ‘hacker’ that attaches all of the mail messages from the user.

It is a pretty big security problem as it stands, although there are some mitigations to consider. For a start, an attacker has to know that someone is using Airmail, and has to get the recipient to click on a link in the email they have sent in order for it to work. This particular attack also will not work if the name of the account is renamed from the default. The attackers identified a related vulnerability that would remove the required user interaction step altogether, but they could not execute it reliably.

If this was exploited in the real world, the malicious link would likely be disguised by some sort of phishing email. Some scary warning like ‘Click here to see an important message from your bank’ would be enough to encourage many people to click through.

Thankfully, there are some obvious ways in which Airmail can defend against these types of exploits so hopefully there will be an update released promptly that addresses the attack vectors.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author