Back

Apple Maildrop Vulnerability Allows Filename Manipulation on Attachments

Severity: Medium (Score: 54.6)

Sources: Reddit

Summary

A vulnerability in Apple's Maildrop service allows users to manipulate attachment links on icloud.com. The issue, identified as MAILDROP-01, involves three unsigned parameters: filename (f=), file size (sz=), and user key (uk=). Attackers can change these parameters to mislead recipients about the content of the attachments. The vulnerability was reported on July 7, 2023, and as of April 8, 2026, it remains unremediated, with the status marked as 'Prioritized for review.' This flaw poses risks of phishing and social engineering attacks, as there is no visual indicator that the metadata is controlled by the sender. The lack of validation and signature further exacerbates the risk. Full technical details, including a proof of concept and recommendations for fixes, have been provided by the reporting user. Key Points: • Apple Maildrop allows manipulation of attachment metadata without validation. • The vulnerability has been unaddressed for nearly 34 months since its report. • Potential for phishing and social engineering attacks due to misleading attachment information.

Key Entities

  • Apple (company)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • icloud.com (domain)
  • ICloud (platform)
  • Maildrop-01 (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed