Major macOS Mail App Harbors Major Vulnerabilities
How do you manage your email? For those who receive a high volume of messages every day and depend on their email for work purposes, answering this question is essential. Most stock mail clients don’t always offer the capabilities you need from them; for that reason, many people choose to use third-party email management programs. macOS users are no exception. However, it is important to be aware that this software, like any other, can put your data at risk if the developers fail to take appropriate security measures. That appears to be the case with a popular macOS email client called Airmail 3.
Security researchers recently uncovered some severe flaws in Airmail: using a very simple method, the bad guys could potentially pilfer all your emails and even their attachments without ever alerting you. All they need to do is convince you to click on one link. How does it work?
Initially, an attacker would send a message with a malformed URL in the body of the email. When clicked, this URL takes advantage of Airmail’s ability to send mail through the client to exfiltrate user messages. In combination with another snippet of code, this attack can attach documents to the emails the hacker sends back to themselves. In one version of this hack, the user didn’t even need to click on the link — it would work just by being loaded in the app. However, this vector proved unreliable, but not before researchers uncovered an additional security hole that could allow malicious plugins to escape detection by the system.
Naturally, these are some severe flaws, especially since users may not anticipate that their mail clients are vulnerable to attack. For their part, the developers of Airmail received the news and quickly announced they would push an update to the client as soon as possible. They added they believed the attack was merely “hypothetical,” and that no one had experienced data loss as a result of the open vulnerabilities.
What about iOS users? The researchers say you, too, could be vulnerable, but there is as yet no confirmation of the vulnerabilities present in the mobile version. If you are an Airmail user, be on the watch for incoming updates and be sure to apply the patch as soon as possible. Otherwise, you’re leaving the door open to hackers, since info about these flaws is now out in the open.