Airmail has issued Vulnerability-related.PatchVulnerability an update today to patch Vulnerability-related.PatchVulnerability a vulnerability that security researchers said Vulnerability-related.DiscoverVulnerability could let malicious third parties access email databases and read a user ’ s messages . Security consulting firm Versprite outlined Vulnerability-related.DiscoverVulnerability the issue in a blog post this morning , noting how Airmail 3 uses both a custom URL scheme and a so-called “ deterministic ” file system location for email messages for any given account . Using those two pieces of information , a hacker could theoretically retrieve Attack.Databreach every one of a user ’ s messages through a phishing scheme Attack.Phishing that relies on that custom URL scheme . Airmail told The Verge that it ’ s already updated Vulnerability-related.PatchVulnerability the app in the Mac App store and through its direct download beta program to address Vulnerability-related.PatchVulnerability the issue , calling it a “ very hypothetical ” one . The version number is Airmail 3.6 , and it should be rolling out Vulnerability-related.PatchVulnerability over the course of the day if you don ’ t already have it now . The update is also listed on Airmail ’ s website , with the update note , “ Potential URL Scheme Vulnerability Fix . ”

In a new blog post researchers from Proofpoint have tracked a phishing campaign Attack.Phishing leveraging the concept of “ Twitter Brand Verification ” . Because the actors in this case are relying on paid , targeted ads on Twitter , users don ’ t need to do anything to see the phishing link . Attackers are increasing the sophistication of social engineering approaches and extending them across social channels . Users and brands need to be increasingly savvy to avoid getting snared by ads , accounts , and messages that initially look legitimate . While this attack was observed on Twitter , such a scam could be implemented on any social media platform that implements some form of account verification . The full blog post can be found here , however key takeouts include : “ Verified accounts ” are a powerful tool on Twitter to help brands differentiate themselves from fraudulent , impersonation , and parody accounts on the social media site . When an account is officially verified , it displays a special badge intended to reassure Twitter users that they are interacting with a genuine brand and not an impostor . Recently , however , threat actors are using the promise of verified accounts to lure Attack.Phishing users into a credit card phishing scheme Attack.Phishing . Account verification is a process that Twitter manages for “ accounts of public interest ” and requires brands to go through multiple verification steps . The promise , then , of a quick verification process is attractive , especially to smaller businesses that potentially lack the resources to meet Twitter ’ s requirements for account verification . In this phishing attack Attack.Phishing , discovered by Proofpoint researchers in December , attackers place legitimate ads targeting brand managers and influencers with a link to a phishing site purporting Attack.Phishing to offer account verification . The ads themselves come from Attack.Phishing an account that mimics Attack.Phishing the official Twitter support account , @ support . The fraudulent account , @ SupportForAll6 , uses Twitter branding , logos , colors , etc. , to increase the sense of authenticity , despite a very low number of followers and a suspect name