Closed Bug 1435763 Opened 7 years ago Closed 7 years ago

Thunderbird configured to use credentials to log into a mail- and calendar-server may lock the users account because of multiple attempts

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 596675

People

(Reporter: tschweikle, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3315.3 Safari/537.36 OPR/52.0.2852.0 (Edition developer) Steps to reproduce: - Install Thunderbird on Windows 7, 10. Install lightning, caldav. - Configure thunderbird to use credentials to log into mail- and calendar-accounts. From time to time thunderbird will try to login to servers with outdated credentials multiple times and lock the account if this is configured. Thunderbird tries for every configured account multiply to log in. If credentials are outdated this leads to some failing trials per account. If it is configured to allow max. 5 trials before the account gets locked, it is enough to configure two accounts using the same credentials to have enough trials to lock it. Thunderbird seems not to notice credentials are outdated and tries to renew them befor they are used, doing nothing if renewal fails. Actual results: Thunderbird tries to login to configured accounts with outdated credentials multiple times. The server locks the account because of using outdated credentials multiple times exceeding the allowed count for such activity. Expected results: Thunderbird should notice outdated credentials, trying to renew them. If this fails it should notice the user and stop trying to login to configured servers authenticating by presenting credentials until the user takes appropriate action.
I have encountered this myself. I suspect you are seeing bug 596675
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Component: Untriaged → Security
Resolution: --- → DUPLICATE
Summary: Thunderbird configured to use credentials to log into a mail- and calendar-server may lock the users account → Thunderbird configured to use credentials to log into a mail- and calendar-server may lock the users account because of multiple attempts
Not sure, but maybe. In this case thunderbird is configured to use Windows SSPI to login to an account. All ok until the tickets expire. Thunderbird will take these expired tickets and try to authenticate. It is told the tickets are expired and it should renew them. Nevertheless thunderbird tries again, without renewing. Three times until it gives up. Thunderbird should instead do what is is advised: take the ticket, renew it, and if that fails stop trying again until the user took appropriate action. If renew was successful Thunderbird shall take the renewed ticket and authenticate. I am not sure if this is the same routine presenting passwords, certificates or tickets. It may be the same loop, but not the same code.
You need to log in before you can comment on or make changes to this bug.