Grepular

Security Bug in Thunderbird - Open Websites in Tabs

Written 11 years ago by Mike Cardwell

Ordinarily, when using a desktop email client, if you click a link embedded in an email, it will start up your primary web browser and then open the site within it. I’ve discovered a way of crafting a link such that when you’re using Thunderbird and you click on that link, it opens the website in a new Thunderbird tab instead of in the external web browser.

First of all, why is this bad? My browser of choice is Firefox. I have made various configuration changes and installed various addons in Firefox to enhance my security and privacy. Amongst other things, I use RequestPolicy, NoScript, RefControl, AdBlock, CipherFox, HTTPS-Everywhere, I have proxy settings and sometimes I use Tor. If a link opens in a Thunderbird tab instead of a Firefox tab, all of those defenses are bypassed.

Secondly, when the external website opens in a Thunderbird tab, there is no identifying chrome around the page which would allow the user to differentiate between a tab containing any other part of the Thunderbird interface and a malicious site which is spoofing part of the Thunderbird interface.

Now for the details. The email must contain a text/html part. That text/html part must contain an anchor embedded in an inline SVG. That anchor tag must have either the target attribute set to “_blank”, or the “xlink:show attribute set to “new”. Example:

<html>
  <body>
    <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
      <a xlink:href="https://www.mozilla.org/" xlink:show="new">
        <text x="0" y="12" font-family="Verdana" font-size="12" fill="black">Click me</text>
      </a>
    </svg>
  </body>
</html>

With normal anchor tags you can right click on a link and then select “Copy Link Location” from the context menu and paste it into the web browser. However, that option is not available in the context menu when right clicking SVG anchors.

Regarding disclosure: I submitted a security bug report to Mozilla in November 2011 (26 months ago) and it was promptly acknowledged as a “moderate” security problem by them. It has not been fixed yet. I added a comment to the bug report last week to let them know I would be blogging about the issue this week. The bugzilla report is currently locked from being viewed, but for when it becomes unlocked, here it is: bug 700979

Personally, I’ve migrated away from using Thunderbird and now use Evolution on the desktop. It has built in PGP and Calendar support, without needing to use third party addons, has a much faster UI than Thunderbird, and unlike Thunderbird is currently under heavy development. Oh and it also has write support for LDAP based address books (unlike Thunderbird).

Want to leave a tip?BitcoinMoneroZcashPaypalYou can follow this Blog using RSS. To read more, visit my blog index.