Attackers can abuse URL requests processed by an email program for Mac to steal files from the victim — sometimes without user interaction.

Severe vulnerabilities in the Airmail 3 software – an alternative to Apple Mail for MacOS – would allow a remote attacker to steal a user’s past emails and file attachments, in many cases without requiring user interaction beyond simply opening a weaponized message, researchers said.

Security analysts at VerSprite said that they discovered that URL requests processed by Airmail 3 can be abused to steal files from the victim, while requiring little skill to do so. An attacker would simply send an email to an Airmail 3 user containing a link with a URL request that triggers the “send mail” function of the application. Unbeknownst to the user, if clicked, this link opens up and sends a new email message from the victim account to the attacker. Other elements could also be embedded in the attack email that will cause Airmail 3 to attach files to that outgoing message – such as previously sent emails.

Worse, the research team also found out they were also able to bypass Airmail’s HTML filters part of the time, to trigger the exploit instantly. If the victim clicks to view the weaponized message within Airmail 3, the exploit is triggered and the database containing the victim’s email messages is automatically sent to the attacker. This aspect of the attack works only part of the time – but it still represents a concerning information-exfiltration vector against phishing-savvy targets.

A Set of Interrelated Vulnerabilities

There are four different vulnerabilities that the team uncovered that allow this attack scenario to happen, according to Fabius Watson, security research manager at VerSprite.

In an interview and in a technical writeup today on the flaw, he explained that first and foremost, a lack of remote log-in requirements for the portion of the code that handles the “send” function means that an attacker can force a victim account to send emails without having to authenticate to that account.

Watson added that specifically, incorrect access control for the airmail:// scheme handler for the send command allows an external application to send arbitrary emails from an active account without authentication. Airmail 3 stores an OAuth token, or if it’s a private server, keeps the configurations stored, so users don’t have to enter a password.

So, for an attacker to use the send command’s URL structure, he or she would only need to fill in an account parameter in the URL string to target the user; that determines from which configured Airmail account to send the new email message.

This is easy to do: “Based on our observations, an account name is equal to the account’s associated email address by default,” Watson explained. “In addition, Airmail’s send command does not require re-authentication. Not only does this allow local applications to send emails through Airmail’s URL scheme, but it also introduces a dangerous phishing primitive.”

To force the target account to send an email, an attacker would send an email of his or her own to the targeted user containing a weaponized URL request that would trigger the send function. The user would need to click on the link for the exploit to unfold.

By default, Airmail 3 allows for HTML content within emails, which would allow an attacker to craft more convincing emails using a weaponized hyperlink or clickable image that could obscure the URL string; this would boost the likelihood of the target clicking on the link. For instance, in the VerSprite proof-of-concept, the URL request link was hidden behind a button built to look like the standard “expand” button that Airmail 3 uses to let users expand messages for more content.

Meanwhile, the victim is not prompted to give permission for an outgoing mail to be sent; so, email can be sent from the target account without the victim being aware of it.

“Modern applications should typically request permission from the user prior to forwarding requests to custom URL handlers,” Watson said.

A second vulnerability would allow an attacker to use a specially crafted URL request to fetch specific documents from the user account database and attach them to the covert outbound email.

Watson explained, “The URL parameters for the send command with the ‘attachment_’ prefix designate attachment parameters. If the value of an attachment parameter corresponds to an accessible file path, the file is attached to the outbound message. In addition, relative file paths are acceptable attachment parameter values.”

This means that the attacker would need to know the name of the file that he or she is after; however, Watson pointed out that Airmail 3 files follow a known nomenclature that would allow an attacker to reasonably deduce the names of wanted file bundles.

For instance, “Airmail 3 stores its application data within SQLite databases,” Watson said. “Reviewing the table schemas of several Airmail databases revealed that email messages are stored within a database named Message_0_1_50000.db for each account. The path to this database is relatively deterministic.”

Also, a third vulnerability exists in the form of an incomplete blacklist of HTMLFrameOwnerElements, which allows remote attackers to load WebKit Frame instances through an email, Watson said.

“Airmail’s primary WebView instance blacklists requests from HTMLIFrameElements; but sub-classes of HTMLFrameOwnerElements are not forbidden by the policy,” he explained. “An attacker may abuse HTML plug-In elements within an email to trigger frame navigation requests that bypass [the HTML] filter,” he explained, meaning that the exploit content in the attacker’s email won’t be flagged as malicious. An attacker could embed 12 different HTML plug-ins, each containing a request for a different set of attachments.

Instant Exploitation

The fourth vulnerability makes it possible to execute the attack automatically when a victim opens the attacker’s email – some of the time.

“Although [the main] attack vector may be sufficient for phishing attacks, we were interested in an attack vector that required much less user interaction,” Watson said. “We know that Airmail renders HTML email messages within a WebKit WebView, [so we examined if it was] possible to automatically trigger a navigation request for the Airmail URL payload.”

The team found that while writing JavaScript to attempt this wouldn’t fly; however, it’s possible to trigger a race condition in “webView:decidePolicyForNavigationAction:request:frame:decisionListener:”; this allows remote attackers to bypass Airmail’s EventHandler navigation filter to open an embedded HTML element automatically. Watson said that this is because Airmail’s primary WebView instance uses OpenURL as the default URL handler. However, this attack doesn’t work all of the time.

“A navigation request is processed by the default URL handler only if the ‘currentEvent’ is ‘NX_LMOUSEUP’ or ‘NX_OMOUSEUP,'” explained Watson. “An attacker may abuse HTML Elements with an EventHandler for a chance to validate navigation requests for URLs that are processed during the ‘NX_LMOUSEUP’ event triggered by clicking an email.”

He added, “Although not 100 percent reliable, this vector allows for a dangerous attack scenario due to the minimal user interaction required for exploitation. Many users are trained to avoid clicking untrusted links in an email, but how many are trained to avoid clicking the email message itself?”

To make it even more dangerous, the attacker could set attributes to reduce the width and height of the clickable images to zero, so the victim can’t see the elements in the mail – the user would have to look at the mail’s source code to see the malicious URL request.

This approach is successful about half the time, Watson said.

The firm’s tests only covered Airmail 3 on Mac – the exploit has not been tested on the iOS version. Watson added that the flaws have been reported to Airmail, but patches have not yet been released; VerSprite is also in the process of submitting the issues to the MITRE vulnerability database for assigned CVEs. In a request for comment and patch status from Threatpost, Airmail simply said, “We will evaluate and fix if needed in a future update.”

“I would avoid using Airmail 3 until this is fixed,” Watson told Threatpost. “If they click the link, the attack is 100 percent successful. But there’s a 50 percent chance it will automatically trigger. And the attack can send anything within Airmail 3’s bundle to the attacker, including stored emails, attachment files and more.”

Image courtesy of Airmail.