• by Ray Schultz , September 26, 2022

Threat actors can now hijack inboxes, thanks to a flaw in the Apple iOS 16, VPN Tracker reports.  

The issue, dubbed #MailJack” by VPN, allows anyone to hijack an inbox and lock out the user, the firm says.

Apple told 9to5Mac that the issue will be corrected in a version of iOS now in beta.  

The problem, according to VPN, is in the from field. Instead of resembling a typical email "from" line — i.e.,  From: sender@example.com — the invading spam "from" line looks like this: From: ""@example.com.

“Anyone who has built software before knows that if there's one thing computers don't like, it's weirdly formatted inputs like that,” VPN writes. “We tested sending an email from ""@example.com and sure enough—this is what is causing Mail on iOS 16 to crash, locking you out of your entire inbox.”

VPN adds that the problem can be fixed by using another device to access the inbox. 

“As soon as you delete the email from your account using another device, different email client or on the web, Mail updates your inbox and stops crashing,” the company writes. 

VPN adds: “Moving the email to a subfolder in an IMAP email account will also fix your inbox, but Mail will crash again if you navigate to that folder.”