Chance Miller
Every so often we see a flaw in iOS that can render an entire app unusable.
In the past, these bugs have affected apps like Safari and Messages.
A new bug in iOS 16, however, can completely lock you out of the Mail app
with a single email that contains some weird text in the "from" field. Here
are the details and how it impacts each mail service.
iOS 16 Mail app crash due to rogue text
The flaw was discovered by the folks at Equinux, which makes a VPN Tracker
service for Mac and iPhone. The team discovered this bug in iOS 16 while
analyzing spam emails.
" We started seeing iOS mail problems for multiple people on our team: Mail
was crashing immediately on launch.
It turns out the team had all received the same spam message. Looking at the
raw source of the message didn't immediately reveal any red flags - it was a
pretty basic HTML email. However, a look at the mail headers showed that the
spammers had done something unusual in the "from" field."
Usually, the "From" field in an inbound email looks like this:
. From: sender@xxxxxxxxxxx .
But the maliciously crafted email has a "From" field that looks like this
instead:
. From: ""@ example.com.
What this means, according to Equinux, is that "anyone can send any iOS 16
user an email that can lock them out of their inbox." They've created a form
field on their website that you can use to test the flaw, which they are
referring to as "Mailjack."
Mailjack can impact the Mail app on any device running iOS 16 (the stable
release), iOS 16.0.1 on the iPhone 14, and the latest iPadOS 16 betas, but
there are some caveats. Some mail services, including Gmail, Outlook, and
Hotmail rewrite inbound emails to prevent things like this from happening.
Additionally, Gmail and Yahoo block these maliciously crafted emails
entirely. But one of the email services that doesn't do anything to protect
against these emails is iCloud Mail, Apple's own first-party option. There
are also a number of IMAP mail services that "do not correct or rewrite
inbound mails."
" A simple way to test is to use your iCloud email account, but note that it
may be marked as spam (you need to check your spam folder). Note that not
all email providers will deliver the message as they might rewrite emails
before delivering to the device."
The email could also get trapped in the "Spam" inbox. In this situation, the
Mail app will crash every time you look at your spam inbox. This is better
than if the email was to appear in your primary inbox, but emails are able
to escape to the primary inbox pretty easily depending on the sender.
The solution to this problem, for now, is to delete the email from your
account on a device that's not running iOS 16 or via a different mail
client:
" As soon as you delete the email from your account using another device,
different email client or on the web, Mail updates your inbox and stops
crashing.
Moving the email to a subfolder in an IMAP email account will also fix your
inbox, but Mail will crash again if you navigate to that folder."
We've reached out to Apple for comment. For the time being, you can test the
Mailjack flaw for yourself on the Equinux website. (I tested it and don't
recommend trying it, but that's up to you.)
===========================================================
The fb-exchange mailing list
Manage account,
List Page: https://www.freelists.org/list/fb-exchange
Archive: https://www.freelists.org/archive/fb-exchange
Administrative contact: insight@xxxxxxxxxxxxxxxxxxxx
===========================================================
