Specially Crafted Email Exposes Apple Users to Attack Upon Opening

Anthony Freed
By | December 13, 2012

Posted in: Network Security Trends

Most everyone is aware that one should be wary of the potential for a security breach by way of malicious links or malware-tainted documents sent by an attacker via email. Typically, you open the email, realize it is suspect, and proceed to delete it without falling for the ploy. But what about an email that can expose you to a hack by simply opening it? That seems to be the case with a vulnerability discovered by security expert Bogdan Calin, who has uncovered a flaw that could allow an attacker to compromise your network if a specially crafted email is opened with a Mac, iPhone or iPad default email client. Apple users beware.

Calin noticed that Apple automatically load images embedded in emails by default, and describes how an attacker could leverage this by simply embedding a small 1x1 pixel image that is the same color as the background used by an email client, leaving the image more or less invisible to the recipient. That's where the compromise can occur.

"The email client will load this image from a remote server and by doing so, it discloses your IP address and email client banner, and possible your identity. In some situations, such behaviour can have catastrophic consequences... my first idea was to try to attack the home router," Calin wrote.

Calin notes that most routers use only basic authentication to access administrative functions, and if the target never changed the default password for the router, or changed it to something weak or guessable, the attacker may be able to gain access to the administrative interface and proceed to reconfigure a router's settings.

"It is possible to take all the POST parameters, convert them to GET parameters and send an email to the victim containing an image with its source pointing to the router's configuration URL. To increase the chances of this attack succeeding, I can send multiple images in the email; one with the default username and password for the router and others with most common passwords... in the email we included a div which loads a number of iframes - the GET requests are actually URL’s that are typically used to configure the router," Calin explains.

If one of the username and password combinations match the setting on the targeted router, the attacker gains administrative control and can then change the DNS settings used by the router to an IP address under the attacker's control. The attacker could then present the target with spoofed webpages that appear to be authentic and steal a variety of account login information.

Calin has confirmed that the attack works on several popular routers, including the ASUS RT-N16, the ASUS RT-N56U, the Arcor EasyBox A600, and the TP-Link Router TL-WR841N. He has produced a short video that demonstrates the attack:


Calin noted that while Gmail typically prompts users before loading an image, users may be vulnerable if they have previously responded to an email from the attacker because Gmail will automatically load images in subsequent emails without prompting the user for permission if correspondence has occurred.

To prevent being compromised in such an attack, Calin recommends the use of a strong password for the router. He also contacted Apple about the problem, and they suggest that users should disable the option to "Load Remote Images."

"To do this you need to go Settings -> Mail, Contacts, Calendars and look for the 'Load Remote Images' in the Mail section," Calin said. "You need to disable this option to protect yourself against this attack. However by disabling this option, if somebody sends you an email with an embedded image you will not be able to see it."

You May Also Be Interested In: