Major Vulnerability for iOS with Mailbox.app

Mailbox.app is an email application for iOS devices that was recently acquired by Dropbox less than a month after it launched.

According to this blog post by Miki Spag, Mailbox.app will execute any Javascript included in the body of an email. Spag writes that this vulnerability “allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, using an exploiting framework, potentially much worse things.”

In the video below, Spag demonstrates how simple it is to execute Javascript code from within the app.

Currently Mailbox is only available for iOS and only works with Gmail, but it works to achieve “Zero Inbox.”

Until Mailbox developers are able to patch this substantial exploit, Roboscan recommends iOS users default to the native Mail app or to Gmail’s iOS app.