The Mail app on macOS contained a 0-click vulnerability

Cybersecurity specialists reported the finding of a dangerous vulnerability in macOS Mail that would allow exploitation to add or modify an arbitrary file in the sandbox of this platform, leading to all kinds of attacks.

According to the report, exploitation could lead to the leakage of confidential information, modification of an email sent to the victim and even alteration in the target user’s settings to facilitate the spread of the attack. This flaw was reported by Mikko Kenttälä, researcher at security firm SensorFu, who mentions that Apple corrected the bug on macOS Mojave 10.14.6, macOS High Sierra 10.13.6 and macOS Catalina 10.15.5.

Tracked as CVE-2020-9922, the flaw was found after the researcher sent test messages to track them: “This platform has a function to automatically unzip attachments that another user has automatically compressed; In the case of valid use, if the user creates an email and adds the folder as an attachment, it will be automatically compressed with ZIP and x-mac-auto-archive s yes, which is added to the MIME headers. When another macOS Mail user receives this message, the compressed attachment is automatically unzipped.”

Kenttälä mentions that parts of the uncompressed data are not deleted from the temporary directory, and that the directory performs multiple functions, allowing threat actors to pivot within the environment and access restricted resources.


Exploiting this flaw requires cybercriminals to email two ZIP files to the target user; when the potential victim receives the message, macOS Mail will scan the attachments for the x-mac-auto-archive header and then unzip the files.

The first file must include a symlink called Mail that points to the victims’ $HOME/Library/Mail and file 1.txt; this ZIP is unzipped to $TMPDIR/ Based on the filename-1, file 1.txt is copied to the mail manager without anomalous activity log, however, .the cleanup is not successful and the symlink is left in place: “This symlink is the triggering factor for the second stage of the attack,” the expert says.

The second ZIP file includes the changes that will be made in $HOME/Library/Mail, which will provide arbitrary file write permissions to Library/Mail: “In my analysis, I wrote new rules for macOS Mail, which made it possible to add an automatic forwarding rule to the victim’s mail application,” Kenttälä adds.

The flaw received a score of 6.5/10 on the scale of the Common Vulnerability Scoring System (CVSS), although the expert believes it may have received a higher score: “This is a case of file manipulation in $HOME/Library/Mail, which could lead to other risk scenarios,” concludes the expert.