Closed Bug 911769 Opened 11 years ago Closed 11 years ago

Emails disclosure on Thunderbird

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
26 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: fabiancuchietti, Unassigned)

Details

Attachments

(1 file)

thunderbird-mail-disclosure.mp4
2.27 MB, application/octet-stream
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)
Build ID: 20130814063812

Steps to reproduce:

Hello Mozilla Security,

I discovered an issue in "Earlybird / Thunderbird" Read mails without having an access password thunderbird, this allows full disclosure of emails a user. Attached a video as proof of concept.


Steps to reproduce:
Open Mozilla and go to the following directory:

file:///C:/Users/{PC-USER}/AppData/Roaming/Thunderbird/Profiles/j1k1jwpq.default/ImapMail/imap.googlemail.com/%5BGmail%5D.sbd/Todos

I have read the emails without having to get your password,

Regards.
(not security sensitive)
Group: core-security
Whiteboard: dupeme
"Dupeme" what mean this?
This issue is considered valid?
Thunderbird makes no promises to data security on the local machine and is not designed for multiple users from the same log in. If users are concerned about data security, they should use OS level protection, or other security applications to sandbox Thunderbird in a way that can only be accessed by password.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Whiteboard: dupeme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: