Closed Bug 1387203 Opened 7 years ago Closed 6 years ago

Thunderbird silently sent my private clipboard with email to a wide distribution list

Categories

(Thunderbird :: Message Compose Window, defect)

Product:
Thunderbird
Component:
Message Compose Window
Version:
52 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1276391

People

(Reporter: jayrusman, Unassigned)

Details

(Keywords: privacy) 

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170629000000

Steps to reproduce:

I sent an email.  When I look at the email in the sent folder, it shows what I expect.  The email I typed, and the email I saw on my screen.


Actual results:

When people replied to me, it is clear that Thunderbird silently pasted my CLIPBOARD into the email, which happened to be a private chat message with another person.  I checked the sent message in Thunderbird, and it does NOT show my private chat message in the sent email.  When I copy and paste the message to a Konsole terminal, the offending text is in the paste buffer.  Somehow,  Thunderbird is inserting hidden text, and not showing it to me.  When I click reply, the offending text is not shown -- but again copy/paste to other window reveals the text.  No text property changes I can alter in the edit window will reveal the offending text in Thunderbird.


Expected results:

Thunderbird should not have silently sent my clipboard out with an email.  Or, the email in the sent folder should reflect what was sent to everyone else.  Somewhere, somehow, Thunderbird effed me over here.
Component: Untriaged → Message Compose Window
Keywords: privacy
Please send me the message in question via e-mail. Drag it out into a file on the desktop or a folder (or use File > Save As) and send it to me as an attachment. You'll find my e-mail in my profile.

There must have been something strange happening for chat to be copied to the outgoing message in an invisible form.
Once I forward the email, it shows up, the magic is lost.  I'll clone and try to whittle the mailbox down to the one offending message, and then use a hex editor to redact non-shareable info.
(In reply to jayrusman from comment #2)
> Once I forward the email, it shows up, the magic is lost.  I'll clone and
> try to whittle the mailbox down to the one offending message, and then use a
> hex editor to redact non-shareable info.

were you able to sort this out?
Flags: needinfo?(jayrusman)
Whiteboard: [closeme 2017-12-20]
If true, this would be very serious indeed.  But we need more information
Severity: normal → major
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jayrusman)
Resolution: --- → INCOMPLETE
Whiteboard: [closeme 2017-12-20]
All private info removed from image and raw test below.

Here's a screenshot of what I see in Thunderbird 52.5.0 (64-bit) under openSUSE Tumbleweed (up-to-date as of Jan 1st, 2018)
https://i.imgur.com/MCidMZE.png

Problem is that other people received the "HIDDEN TEXT" in plain view (which was a private IM message).  My thunderbird does not show it to me in my email view, nor did it show it to me in the compose window.  Clearly the IM text exists in the Inbox file, so it was indeed sent.  It was between 'i' and 's' as shown by the red arrow in the imgur link.

Here's the relevant (hopefully) raw text from Inbox file:
-----------------------------------------------------------------
...
MIME-Version: 1.0

<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">In general, i
      <div data-redactor-wrapper="1" style="position: absolute; left:
        -9999px;">
        <div data-redactor="1">HIDDEN TEXT HIDDEN TEXT HIDDEN TEXT
          HIDDEN TEXT ♫♫♫♫</div>
        I</div>
      s there some sort of implied connection between xxx and
      xxx numbering in general?<br>
      <br>
      <br>
...
-----------------------------------------------------------------

How did it get like that??
Status: RESOLVED → UNCONFIRMED
Resolution: INCOMPLETE → ---
(In reply to jayrusman from comment #5)
> How did it get like that??
I'd like to know that, too.

>     <div class="moz-cite-prefix">In general, i
>       <div data-redactor-wrapper="1" style="position: absolute; left:
>         -9999px;">
>         <div data-redactor="1">HIDDEN TEXT HIDDEN TEXT HIDDEN TEXT
>           HIDDEN TEXT ♫♫♫♫</div>
>         I</div>
>       s there some sort of implied connection between xxx and
Somehow, between the "i" and the "s" in the screenshot, you pasted a HTML fragment from somewhere. That text isn't shown, since it's positioned absolute at X=-9999.

Same complaint as in bug 1276391.

Nothing we can do about this.
I wish for "text only pasting" option in preferences, where all text pasted is *never* taken as HTML.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → DUPLICATE
There is a "paste without formatting" already, sadly, it doesn't strip "crazy offsets", see bug 1342725.
You need to log in before you can comment on or make changes to this bug.