22.09.2022: A maliciously crafted email can be sent to any iOS 16 device to crash Mail and completely lock iPhone & iPad users out of their email accounts. The equinux VPN Tracker team discovered this major iOS 16 issue while analysing spam emails. We call it #Mailjack – as it allows anyone to hijack your inbox.
How to test the Mailjack attack
To make it easier to reproduce and protect your network against this issue, we’ve set up a Mailjack testing service. To prevent misuse, you will need to confirm your email address via double opt-in.
A simple way to test is to use your iCloud email account, but note that it may be marked as spam (you need to check your spam folder). Note that not all email providers will deliver the message as they might rewrite emails before delivering to the device, see more details below.
- Enter your email address
- You’ll receive one email to confirm your address and then a second with a link to trigger the Mailjack crashing email
- Try to view the Mailjack email in Mail on iOS 16 or iPadOS 16 to trigger the crash (might be in Spam folder)
Please check and try again.
The crash in action
Mailjack technical details
We started seeing iOS mail problems for multiple people on our team: Mail was crashing immediately on launch.
Our team makes VPN Tracker – a remote access solution for enterprises on Mac and iOS, so our engineers started digging in to figure out the cause and discovered a serious flaw in Mail under iOS 16.
It turns out the team had all received the same spam message. Looking at the raw source of the message didn't immediately reveal any red flags – it was a pretty basic HTML email. However, a look at the mail headers showed that the spammers had done something unusual in the "from" field.
Typically the From field has the sender's name followed by their email address – like this:
But in this message, the from field looked like this:
Anyone who has built software before knows that if there's one thing computers don't like, it's weirdly formatted inputs like that. We tested sending an email from ""@example.com and sure enough – this is what is causing Mail on iOS 16 to crash, locking you out of your entire inbox.
Potential risks for businesses
Mailjack poses a considerable risk: Anyone can send any iOS 16 user an email that can lock them out of their inbox. Remote, no user interaction required.
At time of publishing, this issue also still exists in the latest iOS 16.1 and iPadOS 16.1 betas.
For admins worried about Mailjack attacks we recommend blocking emails formatted in this way on your email security appliance or firewall. We've filed a report with Apple's Security team and hope it will be fixed the next iOS update.
How to fix a Mailjacked inbox
The good news is there's an easy way to stop the crash, provided you have alternative access to your email account (not using iOS 16!)
As soon as you delete the email from your account using another device, different email client or on the web, Mail updates your inbox and stops crashing. Moving the email to a subfolder in an IMAP email account will also fix your inbox, but Mail will crash again if you navigate to that folder.
Devices/iOS versions that are affected:
- Mail on iOS 16 and iPadOS 16 (Beta) - verified with iOS 16.0.1 (20A371) on iPhone 14 Pro, as well as iOS 16.1 beta
- Any IMAP mail services that do not correct or rewrite inbound mails
- iCloud Mail
Devices/iOS versions that are not affected:
- Mail on iOS 15 and iPadOS 15 (and older)
- Mail on macOS Monterey
- Other email apps we tested on iOS 16 are also not affected
Mailboxes that are not affected:
- Mail services that rewrite inbound mails such as Gmail, Outlook, Hotmail
- Gmail and Yahoo mail blocked the malicious emails entirely