iOS 16 'Mailjack' Bug Causes Mail App to Crash Upon Receiving Maliciously Crafted Email: All Details

The bug comes in the form of an otherwise routine-looking mail message with an unusual "from" field containing extra characters that trigger the crash.

Written by Anees Hussain, Edited by David Delima | Updated: 23 September 2022 19:30 IST

iOS 16 'Mailjack' Bug Causes Mail App to Crash Upon Receiving Maliciously Crafted Email: All Details

The bug dubbed "Mailjack" allows outsiders to hijack the iOS 16 Mail app

Highlights

The iOS 16 "Mailjack" email bug was discovered by Equinux
The bug could lock users running on iOS 16 out of their email app
Users may delete these emails through a device running an older iOS

An iOS 16 bug is reportedly causing the Mail application on iPhone and iPad models that have been updated to the latest version of Apple's operating system to crash, rendering it inaccessible. The bug comes in the form of an otherwise routine-looking mail message, that has an unusual sender field that includes extra characters that causes the Mail application to crash on iOS 16. The bug has been dubbed “Mailjack” and allows any outsider to lock iPhone and iPad users out of their email accounts with a modified email.

The crash-triggering email was identified by Equinux's VPN Tracker. Generally, the “From” field has the sender's name followed by their email address in the syntax — From: sender@example.com. However, the crash-triggering email had the from field syntax as — From: ""@example.com. Mail services like Gmail, Outlook, and Hotmail automatically rewrite such inbound emails with unusual syntax to prevent such triggers.

While Gmail and Yahoo have filters in place to block these maliciously crafted emails altogether, Apple's first-party iCloud Mail does not appear to have any such rewriting or filtering mechanisms in place, as per the report.

The current solution to avoiding the trigger is to delete the message from the inbox or spam folder from a device that is running an older iOS version or via an external email client. Users may also choose to move the trigger email to another subfolder on an IMAP email account. However, navigating to the respective subfolder will cause the application to crash again according to the website. Admins may also choose to add the syntax ""@example.com to their list of blocked emails via email security software or firewall.

Equinux's VPN Tracker has created a dedicated webpage where users can test the bug trigger by entering their email address. However, users are advised not to try this as it could lock them out of their emails unless they have access to an older iOS or external email client to delete the triggering message.

Apple unveiled eight new products at its September ‘Far Out' event. Which ones will float — and which will sink? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated - see our ethics statement for details.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.