The iOS email app Mailbox was recently purchased by Dropbox. The problem? Its got a wide open security hole that could allow someone to hijack your device.
As Italian researcher Michele Spagnuolo shows, the Mailbox app will execute any JavaScript code embedded in the body of an HTML email message. He demonstrates how opening a JavaScript equipped message will cause the iOS app to launch autonomously.
Update: Here's Mailbox's statement on this issue.
Many thanks to the community for continuing to push Mailbox to be as great an app as possible. As others have noted, the risks here are extremely limited thanks to the inter-app security built into iOS. That being said, we're working on an improvement to mail formatting that will mitigate the issue entirely and aim to ship it soon.
[
Michele Spagnuolo via
Ars Technica]