Mailbox.app is a free email management application for iOS that offers very cool features to achieve Inbox Zero.
This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and potentially much worse things, especially for jailbroken devices. The app also loads external images without offering an option to disable this behavior.
Update 2013-09-25 20:11 CEST: About 90 minutes after Ars Technica published this, Mailbox.app representatives acknowledged the bug but downplayed the severity of attacks that might exploit it. A spokeswoman said a patch would most likely be available before the end of Wednesday.
Update 2013-09-26 09:00 CEST: Mailbox published this statement on their blog. They state:
As always, thanks for joining us on the road to build the world’s best inbox.
Update 2013-09-26 10:20 CEST: I posted a comment on Ars Technica expressing my opinion on the impact of this vulnerability:
First of all I would like to thank Dan for the article, and the Ars community for such a great reaction. I really like this kind of informed and civilized discussions, and am considering to join the community for the near future.
In my original report, now updated, I didn’t mean to sound “sensational” at all, and I personally do not think this article is “sensational” either.
Have a (slightly) safer day!
Update 2013-09-26 17:36 CEST: Mailbox support replied - they are working on a fix for my bypass.
Update 2013-09-27 06:28 CEST: Mailbox support confirms the fix for the bypass.
Thanks again for your email, Michele. We’ve updated the servers to also remove object tags.
We are continually evolving how Mailbox handles messages, and appreciate you passing on this information.