Security News > 2021 > April > Apple Mail Zero-Click Security Vulnerability Allows Email Snooping

A zero-click security vulnerability in Apple's macOS Mail would allow a cyberattacker to add or modify any arbitrary file inside Mail's sandbox environment, leading to a range of attack types.

According to Mikko Kenttälä, founder and CEO of SensorFu, exploitation of the bug could lead to unauthorized disclosure of sensitive information to a third party; the ability to modify a victim's Mail configuration, including mail redirects which enables takeover of victim's other accounts via password resets; and the ability to change the victim's configuration so that the attack can propagate to correspondents in a worm-like fashion.

"In the valid use case, if the user creates email and adds the folder as an attachment it will be automatically compressed with ZIP and x-mac-auto-archive=yes; is added to the MIME headers. When another Mail user receives this email, compressed attachment data is automatically uncompressed."

"The first.ZIP includes a symlink named Mail which points to victims' $HOME/Library/Mail and file 1.txt," said Kenttälä.

"The.ZIP gets uncompressed to $TMPDIR/com.apple.mail/bom/. Based on the filename=1.txt.zip header, 1.txt gets copied to the mail director and everything works as expected. However, cleanup is not done right way and the symlink is left in place."

"In my example case I wrote new Mail rules for the Mail application. With that you can add an auto forward rule to the victim's Mail application."

News URL

https://threatpost.com/apple-mail-zero-click-security-vulnerability/165238/