There’s a flaw in Thunderbird that can be abused to make sure that when email recipients click on a specially crafted link, the site is opened in a new Thunderbird tab, instead of the web browser. Mozilla has been aware of this issue since November 2011, but so far, it hasn’t done anything to address it.
The flaw has been identified and reported by Mike Cardwell. After seeing that Mozilla doesn’t take the bug seriously, he has decided to make his findings public.
So, basically, by exploiting this bug, an attacker can ensure that the malicious website he has created is opened in Thunderbird instead of the default browser.
Why is this a security issue? Because web browsers can have all sorts of protections that the email client doesn’t. For instance, many users install additional components, such as AdBlock, NoScript, RefControl and HTTPS-Everywhere.
If a potentially malicious website is opened in Thunderbird, all these extensions are useless. As the expert highlights, cybercriminals could create a malicious website that resembles the Thunderbird interface in order to trick potential victims.
Additional technical details on this Thunderbird security bug are available on Cardwell’s blog.
I’ve contacted Mozilla representatives regarding this issue. I’ll update the post after I hear their side of the story.