Vulnerability Apple Mail Enabled Email and Account Theft


A vulnerability in Apple Mail for macOS allowed an attacker to steal users' emails and accounts without any interaction from the victim. Just sending a malicious e-mail was enough. Apple released a security update last July, but details have only now been revealed.


Apple Mail has a feature where it automatically wraps and unzips email attachments between Mail users. Apple Mail will zip the sender's attachment and add an option to the MIME headers. When another Mail user receives the email, the compressed attachment will be automatically extracted.


Security researcher Mikko Kenttälä discovered that the extracted data is not removed from the temporary directory and that it is not a unique directory. An attacker could use this to gain unauthorized write access to ~ / Library / Mail and the $ TMPDIR by means of symlinks in the attached zip files and thus modify the configuration of Apple Mail, allowing for email forwarding .


To carry out the attack, an attacker sends an email with two zip files to the victim. The first zip file contains a symlink called Mail pointing to "$ HOME / Library / Mail" and a text file. Mail extracts the zip file and leaves the symlink. The second zip file contains the configuration tweak for Apple Mail. Due to the symlink present, the contents of this zip file are extracted in Library / Mail.


For example, it is possible to adjust the configuration of Apple Mail and automatically forward incoming e-mail to an e-mail address of the attacker. In this way, they can not only get hold of confidential e-mail, but also perform password resets. The reset mail is also forwarded, which makes it possible to take over all kinds of accounts.


According to Kenttälä, remote code execution might also be possible, but he has not investigated this further. The vulnerability could also be used for a worm-like attack, as the rogue zip files can be attached to any email sent via the victim's signature.


The researcher warned Apple on May 24 last year, which then released a security update on July 15 . Apple only announced the existence of the vulnerability on November 12. It is more common for Apple to reveal which vulnerabilities have been fixed only after the release of a security update. Kenttälä has now made the technical details public. It is still unknown what amount he will receive for his bug report.

Previous Post Next Post