An e-mail app recently acquired by Dropbox contains a security bug that opens iPhone and iPad users to a series of potentially serious attacks, a security researcher warned.
In a blog post published Wednesday, Michele Spagnuolo of Italy said that Mailbox for iOS will execute any JavaScript code embedded in the body of an HTML-formatted e-mail. A video shows how the bug can be exploited to open iOS apps without user prompting, simply by viewing a booby-trapped message. His post said the damage could be much more severe.
"This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an e-mail, and, using an [exploitation] framework, potentially much worse things," Spagnuolo wrote. In the past, the researcher has been credited with finding security vulnerabilities in Google, eBay and Nokia products or services.
Read 3 remaining paragraphs | Comments