CVE-2018-15670 in Airmail 3
Summary
by MITRE
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that OpenURL is the default URL handler. A navigation request is processed by the default URL handler only if the currentEvent is NX_LMOUSEUP or NX_OMOUSEUP. An attacker may abuse HTML elements with an EventHandler for a chance to validate navigation requests for URLs that are processed during the NX_LMOUSEUP event triggered by clicking an email.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/17/2020
This vulnerability exists in Bloop Airmail 3 version 3.5.9 for macOS and represents a sophisticated client-side attack vector that exploits improper URL handling within the application's WebView component. The flaw resides in the implementation of the webView:decidePolicyForNavigationAction:request:frame:decisionListener: delegate method, which defaults to using the OpenURL handler for processing navigation requests. The security mechanism only activates the default URL handler when specific mouse events occur, namely NX_LMOUSEUP or NX_OMOUSEUP, creating a window of opportunity for malicious actors to manipulate navigation flows during legitimate user interactions.
The technical implementation demonstrates a classic case of inadequate input validation and event handling in web browser components. When users interact with email content containing malicious HTML elements, particularly those with event handlers, attackers can trigger navigation requests that bypass normal security checks. The vulnerability specifically targets the timing window between when a user clicks on an email element and when the navigation decision is processed, allowing for arbitrary URL execution during the NX_LMOUSEUP event. This creates a scenario where legitimate user actions can be hijacked to execute unauthorized navigation requests.
The operational impact of this vulnerability extends beyond simple phishing attacks, as it enables attackers to perform various malicious activities including redirecting users to harmful websites, executing malicious code through URL schemes, or even leveraging the application's trust relationship with system components. Since Airmail is a mail client that users interact with frequently, the attack surface is significant, potentially allowing for persistent access or data exfiltration. The vulnerability essentially undermines the application's security model by allowing malicious content to manipulate the navigation behavior of the WebView component during normal user operations.
From a cybersecurity perspective, this vulnerability aligns with CWE-79 and CWE-89 categories, representing cross-site scripting and SQL injection attack vectors respectively, though the specific implementation focuses on client-side navigation manipulation. The attack pattern follows ATT&CK technique T1059.001 for command and scripting interpreter and T1566 for credential access through spearphishing, as users may be tricked into clicking malicious links that execute unintended commands. The vulnerability also demonstrates characteristics of privilege escalation through application manipulation, as it leverages the trust relationship between the email client and system components.
Mitigation strategies should include immediate patching of the affected Airmail version, implementing strict URL validation policies within WebView components, and enforcing more robust event handling mechanisms that do not rely on mouse event timing for security decisions. Organizations should also consider implementing network-level protections such as URL filtering and sandboxing techniques to prevent exploitation. The fix should ensure that all navigation requests are properly validated regardless of user interaction timing, and that URL handlers are not automatically invoked based on specific mouse event conditions. Additionally, security awareness training for users regarding suspicious email content and the importance of verifying URLs before clicking is recommended to reduce successful exploitation rates.