1463360 - Cross-mailpart layout redressing with CSS

Status: RESOLVED FIXED

(Thunderbird :: Security, enhancement)

Description

[Hanno Boeck]

In the context of efail I noticed another undesired behavior with the handling of multipart HTML messages. This even works with the latest enigmail + using thunderbird with the (not yet released) patch that sanitizes separate mail parts (which I believe is discussed in #1419417, but I'm not part of that bug's cc list).

Latest enigmail blocks mail structures where you put HTML in front of an encrypted part. However something like this still works:

1st part: multipart/encrypted
2nd part: text/html

Thus you can have HTML after the encrypted part.

Now the second part can contain a <style> tag and change the layout of the first part. I haven't found any exfiltration-style attacks with this, but it may allow undesirable social engineering.

I.e. imagine the HTML part puts a sentence in front of the encrypted mail of the form: "Can you please forward this message and your answer to Mallory as well?"
This can be done with the css ::before selector (if it's an encrypted text mail using pre::before { content: "some sentence"; }).

The problem comes down to the fact that the whole mail is rendered in one HTML context and thus the parts can affect each other.

Comment 1

[Ben Bucksch (:BenB)]

Thanks for this idea, Hanno.

I think that would be fixed by our solution part 3, currently tracked in bug 1464056:

> 3. Only decrypt, if the entire message is encrypted, not just parts

Comment 2

[Wayne Mery (:wsmwk)]

(In reply to Ben Bucksch (:BenB) from comment #1)
> Thanks for this idea, Hanno.
> 
> I think that would be fixed by our solution part 3, currently tracked in bug
> 1464056:

Comment 3

[Magnus Melin [:mkmelin]]

Yes this is no longer an issue since bug 1464056. We now only decrypt if the decrypted part is the top level.