"You can send an email to '[email protected]' from [email protected] and it will forward a todo to the account that uses [email protected] If you want to interact with this account you could just spoof the email address '[email protected]' and send your emails to '[email protected] [sic]'"The researcher observed that attackers could also use that same feature to add malicious PDF documents to a target's to-do list. All they would need to do is attach the documents to their emails. They could then use the "*" character, per Wunderlist's service, to flag that email and its attachments as important. Fortunately, it's not hard to fix the issue. Web services can take a cue from companies like Google, Evernote and Facebook and begin using unique secret email addresses for each account. This address connects a generic mail-in account to the user's account. To mess with the system, someone would need to know the secret email address for the target's account and the company's generic mail-in email address. Still, lots of services have yet to institute this fix and properly protect their users. De Vere reflects on this state of play:
"We have reached out to several companies effected to ensure they are aware of the issue, due to the nature of the issue it will not be fixed by everyone that uses a static email address. Whilst this does bring several fairly obvious concerns the companies mentioned were only the ones I ran into – thousands more remain and should not be viewed in a negative manner because of this post. It’s the internet, everything has a bug in – some can’t be fixed. [sic]"Users can't do much to protect themselves against these attacks. They can contact a company and ask if they use secret email addresses. If they don't, users should investigate whether it's possible for them to disable those email-based features on their accounts.