Mailbox App Allows HTML Emails to Execute Malicious Javascript Code

Michele Spagnuolo, a well-known security expert and blogger, has recently reported about a Mailbox vulnerability that allows any Javascript contained in the body of the email to be executed in the app.

Here’s what he writes (via iClarified):

This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, using an exploitation framework, potentially much worse things. The app also loads external images without offering an option to disable this behavior.

Mailbox developers have reacted very fast - they promise this security breach will be patched within few hours.

And here’s what you can actually do using the malicious Javascript code: