Closed Bug 1463360 Opened 2 years ago Closed 2 years ago

Cross-mailpart layout redressing with CSS

Categories

(Thunderbird :: Security, enhancement)

52 Branch
enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
Thunderbird 62.0

People

(Reporter: hanno, Unassigned)

References

Details

(Keywords: csectype-spoof, sec-low, Whiteboard: [fixed by bug 1464056])

In the context of efail I noticed another undesired behavior with the handling of multipart HTML messages. This even works with the latest enigmail + using thunderbird with the (not yet released) patch that sanitizes separate mail parts (which I believe is discussed in #1419417, but I'm not part of that bug's cc list).

Latest enigmail blocks mail structures where you put HTML in front of an encrypted part. However something like this still works:

1st part: multipart/encrypted
2nd part: text/html

Thus you can have HTML after the encrypted part.

Now the second part can contain a <style> tag and change the layout of the first part. I haven't found any exfiltration-style attacks with this, but it may allow undesirable social engineering.

I.e. imagine the HTML part puts a sentence in front of the encrypted mail of the form: "Can you please forward this message and your answer to Mallory as well?"
This can be done with the css ::before selector (if it's an encrypted text mail using pre::before { content: "some sentence"; }).

The problem comes down to the fact that the whole mail is rendered in one HTML context and thus the parts can affect each other.
Thanks for this idea, Hanno.

I think that would be fixed by our solution part 3, currently tracked in bug 1464056:

> 3. Only decrypt, if the entire message is encrypted, not just parts
Keywords: sec-low
(In reply to Ben Bucksch (:BenB) from comment #1)
> Thanks for this idea, Hanno.
> 
> I think that would be fixed by our solution part 3, currently tracked in bug
> 1464056:
Flags: needinfo?(mkmelin+mozilla)
Version: unspecified → 52 Branch
Yes this is no longer an issue since bug 1464056. We now only decrypt if the decrypted part is the top level.
Status: NEW → RESOLVED
Closed: 2 years ago
Depends on: CVE-2018-12373
Flags: needinfo?(mkmelin+mozilla)
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1464056]
Target Milestone: --- → Thunderbird 62.0
Group: mail-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.