117794 - http web site can steal email address by setup a ftp server.

Status: VERIFIED DUPLICATE of bug 101027

(Core Graveyard :: Networking: FTP, defect)

Description

[Frank Tang]

I find out one way that web site can steal people's email address when they
browse their page. 
1. set up a html page, which have an image tag point to ftp sever.
when the browser load the page, it will try to load the image from the ftp
server thorugh anonymous ftp, and by default, the browser will send user's email
address as the password for ftp server. and if the ftp admin look at those
anonymous log then they can figure out who have access to their http server. 

current, in the "Advanced" preference tab there are a 
[ ] Send this email address as anonymous FTP password:
[                       ]
if it is turn on by default, then it is not a problem. However, currently, it
turn off by default. We should consider turn it ON by default.

Comment 1

[Frank Tang]

not really a security issue, an important privacy issue.

Comment 2

[R.K.Aa.]

isn't the default password "mozilla@" when no advanced pref for password is set?
(Some discussion in bug 101027)

Comment 3

[Olav Vitters]

Bug 101027 changed the default to mozilla@example.com.

I've created a small testcase and used a sniffer to see what emailadres Mozilla
was sending as password. Mozilla used mozilla@example.com.

Should this be invalid or duped (because mozilla@example.com can still be used
to track Mozilla users, which is discussed in bug 101027)?

Comment 4

[Boris Zbarsky [:bzbarsky]]

When the pref is off, a completely bogus email address is sent.  We _never_ send 
the mailnews email address to an FTP server.

*** This bug has been marked as a duplicate of 101027 ***

Comment 5

[benc]

VERIFIED:
->ftp
never really was a security issue since bug 57763 as fixed.

BTW, for networking problems, we prefer to see server logs or a packet trace
when possible.