An e-mail app recently acquired by Dropbox contains a security bug that opens iPhone and iPad users to a series of potentially serious attacks, a security researcher warned.

In a blog post published Wednesday, Michele Spagnuolo of Italy said that Mailbox for iOS will execute any JavaScript code embedded in the body of an HTML-formatted e-mail. A video shows how the bug can be exploited to open iOS apps without user prompting, simply by viewing a booby-trapped message. His post said the damage could be much more severe.

"This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an e-mail, and, using an [exploitation] framework, potentially much worse things," Spagnuolo wrote. In the past, the researcher has been credited with finding security vulnerabilities in Google, eBay and Nokia products or services.

About 90 minutes after this post was published, Mailboxapp.com representatives, acknowledged the bug but downplayed the severity of attacks that might exploit it. A spokeswoman said a patch would most likely be available before the end of Wednesday.

"As others have noted, the risks here are extremely limited thanks to the inter-app security built into iOS," representatives wrote in a statement. "That being said, we're working on an improvement to mail formatting that will mitigate the issue entirely and aim to ship it soon."

Neither the representatives nor Spagnuolo said which versions of the app are affected. Apple's App Store doesn't indicate how many times users have downloaded the app, which has been reviewed by more than 40,000 people. Out of an abundance of caution, Mailbox users should switch to another e-mail app until a patch is released.