Every now and then we see a flaw in iOS that can render an entire app unusable. In the past, these bugs affected apps like Safari and Messages. A new bug in iOS 16, however, can completely prevent you from accessing the Mail app with a single email containing strange text in the “from” field. Here are the details and how they impact each courier…
iOS 16 Mail app crash due to malicious text
The flaw was discovered by the folks at Equinux, which offers a VPN Tracker service for Mac and iPhone. The team discovered this bug in iOS 16 while scanning spam.
We started seeing iOS mail issues for several people on our team: Mail was crashing immediately on launch.
It turns out that the team had all received the same spam message. Looking at the raw source of the message didn’t immediately reveal any red flags – it was a fairly basic HTML email. However, a look at the mail headers showed that the spammers had done something unusual in the “from” field.
Usually, the “From” field in an incoming email looks like this:
- From: [email protected].
But the maliciously crafted email has a “From” field that contains a few extra characters, which is enough to cause trouble.
This means, according to Equinux, “anyone can send any iOS 16 user an email that can lock them out of their inbox.” They have created a form field on their website that you can use to test the flaw, which they call “Mailjack”.
Mailjack may impact the Mail app on any device running iOS 16 (the stable release), iOS 16.0.1 on the iPhone 14, and the latest iPadOS 16 betas, but there are a few caveats. Some email services, including Gmail, Outlook, and Hotmail, rewrite incoming emails to prevent such things from happening.
Additionally, Gmail and Yahoo block such malicious emails entirely. But one email service that does nothing to protect against these emails is iCloud Mail, Apple’s proprietary option. There are also a number of IMAP mail services that “do not correct or rewrite incoming mail”.
An easy way to test is to use your iCloud email account, but note that it may be marked as spam (you should check your spam folder). Note that not all email providers will forward the message as they might rewrite the emails before delivering them to the device.
The email could also be trapped in the “Spam” inbox. In this situation, the Mail app will crash every time you check your spam inbox. This is better than if the email were to appear in your main inbox, but emails can escape to the main inbox quite easily depending on the sender.
The solution to this problem, for now, is to delete the email from your account on a device that’s not running iOS 16 or through another email client:
As soon as you delete the email from your account using another device, another email client, or the web, Mail updates your inbox and stops crashing. Moving the email to a subfolder of an IMAP email account will also fix your inbox, but Mail will crash again if you navigate to that folder.
We’ve contacted Apple for comment. For now, you can test the Mailjack flaw yourself on the Equinux website or just check out the GIF below. (I tested it and don’t recommend trying it, but that’s up to you.)
FTC: We use revenue-generating automatic affiliate links. After.
Check out 9to5Mac on YouTube for more Apple news: