52.5.0 (64 bit) BCC address list improperly disclosed to recipients through Gmail SMTP service

RESOLVED INVALID

Status

Thunderbird
Untriaged
RESOLVED INVALID
22 days ago
20 days ago

People

(Reporter: service, Unassigned)

Tracking

52 Branch

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

2.47 KB, text/plain
Details
(Reporter)

Description

22 days ago
Created attachment 8939173 [details]
ts.txt

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20171123161455

Steps to reproduce:

Sent both "to" (myself) and "bcc" (a list of recipients), a longstanding and familiar habit.


Actual results:

The message I received back contained a "BCC" line, improperly disclosing the list of recipients which should have been kept confidential.


Expected results:

"BCC" address list should have been missing from email I received back.

Comment 1

21 days ago
I can not confirm that. Neither with TB trunk nor with TB 52.5.2.

Did you really look at the returned EMail?

Or maybe did you look at the copy in the Sent folder? Of course that EMail still contains the BCC header, because it is the version before sending.
(Reporter)

Comment 2

21 days ago
Thank you for taking time to respond.

Yes, I looked carefully at the headers of both the incoming and outgoing copies. That's what made it unusual. I am an experienced user, and do this often.

Yes, I realize the outgoing copy always contains the BCC line and that would be normal; however, the incoming copy also contained the BCC line, which is not normal.

I don't know what this "trunk" version is. I was using Thunderbird 52.5.0, the one recently auto-installed on my Debian system with apt-get.
"Trunk" is the current development version, currently at version 59.

TB positively does *NOT* send out BCC addresses. We had a similar problem in bug 1385839 (originally: Reply/reply to all: "Reply-to" not honoured, BCC exposed, which took me ages to analyse).

If you want us to look into it, please save/export the sent and the received message and attach it here ("Attach File"). Or describe the exact setup.
(Reporter)

Comment 4

20 days ago
Here is the specific information requested. Notice both outgoing and incoming versions below have the BCC line. This is verbatim except for [snip]'s. Oddly, the five email addresses under BCC were in a different sequence in the incoming message than in the outgoing message.

==== outgoing message, saved in "Sent" folder ====

From - Sat Dec 30 14:14:55 2017
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00800000
X-Mozilla-Keys:                                                                                 
BCC: [snip, 5 email addresses]
From: Mayfair Apartments <[snip]>
Subject: dogs in Court building
To: Mayfair Apartments <[snip]>
Message-ID: <f330b647-150f-7285-31eb-477210a23f9e@gmail.com>
Date: Sat, 30 Dec 2017 14:14:52 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.0
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="------------424BC412BBF6FAF4682DFC68"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------424BC412BBF6FAF4682DFC68
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit

Dear Court Building Dog Owners,

There's an ongoing problem with...[snip]

==== incoming message, received back in inbox about 45 seconds later ====

From - Sat Dec 30 14:15:36 2017
X-Account-Key: account13
X-UIDL: GmailId160a97fbf46dbc8f
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Bcc: [snip, 5 email addresses]
Return-Path: <[snip]>
Received: from [192.168.1.3] (50-46-215-73.evrt.wa.frontiernet.net. [50.46.215.73])
        by smtp.gmail.com with ESMTPSA id q6sm15680092ita.38.2017.12.30.14.16.49
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 30 Dec 2017 14:16:49 -0800 (PST)
From: Mayfair Apartments <[snip]>
Subject: dogs in Court building
To: Mayfair Apartments <[snip]>
Message-ID: <f330b647-150f-7285-31eb-477210a23f9e@gmail.com>
Date: Sat, 30 Dec 2017 14:14:52 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.0
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="------------424BC412BBF6FAF4682DFC68"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------424BC412BBF6FAF4682DFC68
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit

Dear Court Building Dog Owners,

There's an ongoing problem with...[snip]
I think Gmail is playing a trick on you. The sent header is BCC and the received one is Bcc and in a different order.

See:
https://productforums.google.com/forum/#!msg/gmail/qZ04NiqfeQM/f-UyQO4d42UJ
Gmail will not strip out the BCC headers on incoming mail. If the sender included it, you will see it.

Also see bug 1304630.

TB ships the message with the BCC to the user's SMTP server. If they do the wrong thing, complain to them.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 20 days ago
Resolution: --- → INVALID
Summary: 52.5.0 (64 bit) BCC address list improperly disclosed to recipients → 52.5.0 (64 bit) BCC address list improperly disclosed to recipients through Gmail SMTP service
Try not adding a To: but only Bcc: That works in TB. Also, does only the To: recipient receive the Bcc: header or all the other dog owners, too?
(Reporter)

Comment 7

20 days ago
I did not know that Gmail was the culprit. Thank you for your time.
(Reporter)

Comment 8

20 days ago
Yes, that suggestion worked; thank you! When using Gmail SMTP, avoid specifying "To". (Quirky, because some email service providers require "To"; which is why I got in the habit of specifying myself as the "To" recipient.)

I have no way of knowing whether BCC recipients saw the whole BCC list.
You need to log in before you can comment on or make changes to this bug.