Developers behind the Airmail 3 email client for iPhone and Mac OS X have issued a software update after researchers from the security firm Versprite used reverse engineering to find vulnerabilities in its URL scheme.
In a highly technical report, Versprite, the company explains the URL its experts examined for Airmail’s “send message” command had a single parameter that requires prior knowledge — the “account” parameter, which determines which configured Airmail account is going to send the actual message. However, “Based on our observations, an account name is equal to the account’s associated email address by default. In addition, Airmail’s ‘send’ command does not require re-authentication. Not only does this allow local applications to send emails through Airmail’s URL scheme, but it also introduces a dangerous phishing primitive.”
Versprite also warns that because Airmail permits HTML content within emails, attacks can abuse the “send” command via a hyperlink placed in the email. “Modern applications should typically request permission from the user prior to forwarding requests to custom URL handlers,” the report states. “Unfortunately, permission is not requested by Airmail, and the user is not prompted when the handler processes the ‘send’ command. Instead, Airmail will instantly send an attacker crafted email from the target account. At first glance, this may seem like a negligible issue, but this attack becomes much more concerning when file attachments are considered.”
Among other issues, the researchers also noted that Airmail’s email messages are stored in a particular database, but the path to this database is “relatively deterministic.” Consequently, attackers can take advantage by crafting a payload that “exfiltrates a user’s emails by attaching this database to an email sent to themselves.”
In its latest software update, Airmail, which is owned by the Italian company Bloop SRL, refers to the vulnerabilities collectively as a “potential URL scheme vulnerability fix.”