Windows-based Outlook Express for a long time had been the center of controversy for Microsoft for implementing an insecure email client from 1993 till 2006. It was only until the release of Windows Vista’s Mail app (Outlook Express’ successor.) when Microsoft started to pick-up a better PR for their email client’s security reputation.
However, vulnerabilities and exploits in an email client are not a monopoly of Microsoft. As targets, the Windows platform is the biggest but the market share of MacOS computers is growing too. This made the Apple platform attractive for exploits and vulnerability attacks. Recently Airmail 3, a very popular email client for the MacOS has been exposed for being vulnerable to hackers, who can extract users’ emails using a trojan email message. The news has been released by VeraSprite, a mobile phone app development firm.
Airmail 3’s vulnerability came from its use of the same specific location for storing emails, a very visible and unchanging location, ripe for attacks from outside the network. A simple malformed link can grant access to all the email messages to the attackers almost instantly. “By default, Airmail 3 allows for HTML content within emails. This means that an attacker may abuse the send command through a hyperlink in an email. Modern applications should typically request permission from the user prior to forwarding requests to custom URL handlers. Unfortunately, permission is not requested by Airmail, and the user is not prompted when the handler processes the send command,” said VerSprite in their blog.
The flaw was discovered in the MacOS version of the app, while as of this writing it is still unknown if the iOS version is also vulnerable. User’s education and alertness will be tested by the exploit, as accidental clicks is enough for the emails of the user to get leaked to the attacker. “Despite its lack of reliability, this attack vector is particularly dangerous due to the minimal user interaction required for exploitation. Many users are trained to avoid clicking untrusted links in an email, but how many are trained to avoid clicking the email message itself? This security issue allows for the previously described payload to be trigger when a user clicks to view an email message,” continued VerSprite.
Fabius Watson, VerSprite’s Security Research Manager said: “Based on our observations, an account name is equal to the account’s associated email address by default. In addition, Airmail’s send command does not require re-authentication. Not only does this allow local applications to send emails through Airmail’s URL scheme, but it also introduces a dangerous phishing primitive. Modern applications should typically request permission from the user prior to forwarding requests to custom URL handlers. The URL parameters for the send command with the ‘attachment_’ prefix designate attachment parameters. If the value of an attachment parameter corresponds to an accessible file path, the file is attached to the outbound message. In addition, relative file paths are acceptable attachment parameter values.”
Users are advised to stop using Airmail until the authors make a fixed version of the app.
