CVE-2018-15668

Vulnerability

An issue exists in Bloop Airmail 3 version 3.5.9 for macOS. The send command in the airmail:// URL scheme allows an external application to send arbitrary emails from an active account. URL parameters with the attachment_ prefix designate attachment parameters; if the value corresponds to an accessible file path (including relative paths), the file is attached to the outbound message. The handler can be invoked via any method that triggers the URL handler, such as a hyperlink in an email, and the user is not prompted when the handler processes the send command [1].

Exploitation

An attacker can craft a hyperlink or use any method to invoke the airmail:// URL scheme with the send command and attachment parameters pointing to sensitive files. The victim must have Airmail 3 installed with an active email account. If the victim clicks the link (or the handler is triggered via another mechanism), the email is automatically sent to an attacker-controlled address without any user prompt or confirmation [1].

Impact

Successful exploitation allows an attacker to exfiltrate arbitrary files from the victim's system by attaching them to an email sent from the victim's own email account. This results in unauthorized information disclosure of sensitive files. The attacker gains no direct system access but can read any file the victim can access [1].

Mitigation

As of the advisory publication date, the vendor did not respond and no patch was released [1]. Users should avoid clicking untrusted links that invoke the airmail:// scheme, consider disabling the URL handler if possible, or switch to an alternative email client. No official fix is available.