Mailbox App Allows HTML Emails to Execute Javascript

Security researcher Michele Spagnuolo has posted blog entry revealing that the Mailbox app executes any Javascript which is present in the body of HTML emails.


This is bad for security and privacy, because it allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, using an exploitation framework, potentially much worse things. The app also loads external images without offering an option to disable this behavior.
More at iHash.eu