Softpedia >News >Security >Security Blog
Softpedia Homepage   

Bug That Can Be Exploited to Open Websites in Thunderbird Tabs Remains Unfixed

The issue was reported to Mozilla by an expert in November 2011

Jan 27, 2014 14:52 GMT  ·  By
Potentially serious security bug in Thunderbird remains unfixed, despite being reported in 2011
   Potentially serious security bug in Thunderbird remains unfixed, despite being reported in 2011

There’s a flaw in Thunderbird that can be abused to make sure that when email recipients click on a specially crafted link, the site is opened in a new Thunderbird tab, instead of the web browser. Mozilla has been aware of this issue since November 2011, but so far, it hasn’t done anything to address it.

The flaw has been identified and reported by Mike Cardwell. After seeing that Mozilla doesn’t take the bug seriously, he has decided to make his findings public.

So, basically, by exploiting this bug, an attacker can ensure that the malicious website he has created is opened in Thunderbird instead of the default browser.

Why is this a security issue? Because web browsers can have all sorts of protections that the email client doesn’t. For instance, many users install additional components, such as AdBlock, NoScript, RefControl and HTTPS-Everywhere.

If a potentially malicious website is opened in Thunderbird, all these extensions are useless. As the expert highlights, cybercriminals could create a malicious website that resembles the Thunderbird interface in order to trick potential victims.

Additional technical details on this Thunderbird security bug are available on Cardwell’s blog.

I’ve contacted Mozilla representatives regarding this issue. I’ll update the post after I hear their side of the story.

Update. A Mozilla spokesperson has provided the following statement:
"Bug 700979 describes a way to embed links in HTML mail messages that, when clicked, will open in Thunderbird itself instead of the user's default browser as intended.

This could be used in phishing attacks because Thunderbird's web view does not display the URL, and Thunderbird does not contain the SafeBrowsing feature to warn of phishing pages.

As we transitioned from a corporate-led support operation to more of a community-driven one, we have discovered some of our old systems don't meet Thunderbird community's needs.

This bug is one of these few instances. Community members are now attempting to patch this bug and we are working to make sure this type of process issue does not reoccur."