Earlier today, an Italian software engineer revealed that a significant security flaw exists in the popular Mailbox application that many users of iOS devices rely on for mail access. Through this vulnerability, maliciously formed emails sent to users of the app can run arbitrary code, exposing both the device and the account associated with it to a wide range of potential risks, including the complete compromise of any sensitive data stored within them.
Mailbox is a great app, and one many of us have used on our own devices since it launched, but being able to respond quickly to vulnerabilities until the vendor releases a patch is a critical element of a good cloud security plan. If you are currently licensed for Apps Firewall, instructions for responding to this vulnerability today are listed below.
Note that Mailbox requires a significant amount of API access when being associated with a Google account — it can read and send mail, manage contacts, and impersonate you as a service. While these are reasonable under normal circumstances, if the application is being used by a malicious third party, these same permissions could lead to significant data leakage or even financial loss:
To immediately revoke access to this application, preventing this vulnerability from exposing critical data stored within a Google Apps account or set of accounts associated with this app. In order to do so, log into an instance of Apps Firewall, select Mailbox from the Apps Browser list, select “Revoke” from the Actions menu, and click “Revoke”:
Note that this will revoke the application and send a notification to your user base indicating why; explaining that Mailbox is compromised and should not be used until a patch is released is a good security practice, as it will help to prevent a simple re-authentication within the app. Alternatively, by marking the application as Banned, Apps Firewall will automatically revoke all instances of Mailbox on a daily basis, ensuring that (while it remains banned) no user can bypass the remediation policy put into place:
If you are not currently a customer of Apps Firewall, your Google Apps accounts may be at immediate risk of being compromised if a user allows unrestricted code to run on a device with access to their data via OAUTH.