Bug That Can Be Exploited to Open Websites in Thunderbird Tabs Remains Unfixed

Potentially serious security bug in Thunderbird remains unfixed, despite being reported in 2011

There’s a flaw in Thunderbird that can be abused to make sure that when email recipients click on a specially crafted link, the site is opened in a new Thunderbird tab, instead of the web browser. Mozilla has been aware of this issue since November 2011, but so far, it hasn’t done anything to address it.

The flaw has been identified and reported by Mike Cardwell. After seeing that Mozilla doesn’t take the bug seriously, he has decided to make his findings public.

So, basically, by exploiting this bug, an attacker can ensure that the malicious website he has created is opened in Thunderbird instead of the default browser.

Why is this a security issue? Because web browsers can have all sorts of protections that the email client doesn’t. For instance, many users install additional components, such as AdBlock, NoScript, RefControl and HTTPS-Everywhere.

If a potentially malicious website is opened in Thunderbird, all these extensions are useless. As the expert highlights, cybercriminals could create a malicious website that resembles the Thunderbird interface in order to trick potential victims.

Additional technical details on this Thunderbird security bug are available on Cardwell’s blog.

I’ve contacted Mozilla representatives regarding this issue. I’ll update the post after I hear their side of the story.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s