Mailbox, the tidy iOS email app recently purchased by Dropbox, has a pretty wide-open hole that could allow bad actors to hijack your device. And unlike phishing attempts that should probably set off your sketchiness detector, this flaw involves emails that look completely innocuous.
As Italian researcher Michele Spagnuolo shows, the Mailbox app will execute any JavaScript code embedded in the body of an HTML email message. Here he demonstrates how opening a JavaScript-equipped message causes iOS apps to launch autonomously:
While the video demonstrates the flaw by launching some pretty low-key apps, maliciously-coded emails could cause your phone to compromise some very important personal data. There doesn't seem to be a fix for the issue just yet, so if you're using Mailbox on your iOS device, it's probably a good idea to switch to another email app until this problem is sorted.
Update: Here's Mailbox's statement on this issue.
Many thanks to the community for continuing to push Mailbox to be as great an app as possible. As others have noted, the risks here are extremely limited thanks to the inter-app security built into iOS. That being said, we're working on an improvement to mail formatting that will mitigate the issue entirely and aim to ship it soon.
2nd Update: on its blog, Mailbox says the problem is now fixed:
[T]oday we implemented a process that strips JavaScript from messages before delivering them to mobile devices. This feature is now live on Mailbox servers and filtering new mail.