Closed
Bug 1504891
Opened 6 years ago
Closed 6 years ago
Thunderbird Potential Authentication Flaw - accesses mail with old password
Categories
(Thunderbird :: Security, defect)
Thunderbird
Security
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: contact, Unassigned)
Details
(Keywords: reporter-external)
Hello,
I am using Mozilla Thunderbird
latest version for email management. I can see email content even though password changed.
Steps
1. Visit https://mail.com/
2. Click the "Log in" button and login
3. Open the Mozilla Thunderbird
4. Click the "Email"
5. Enter your name, e-mail address and password. Check Remember password and click Continue (Thunderbird automatically detects the correct server settings.)
6. Select IMAP and click Done.
7. To synchronize your e-mail and folders, click Get Mail
8. Send test email and try viewing
9. Go to mail.com panel and Click the security options
10. Change password
11. Password changed successfuly
12. Send again test email after password changed
13. You can see email content even though password changed
Video: https://youtu.be/77irHhL35AU
Thanks!
Flags: sec-bounty?
Updated•6 years ago
|
Group: firefox-core-security → mail-core-security
Product: Firefox → Thunderbird
Comment 1•6 years ago
|
||
mail account passwords are intended to authenticate to remote servers, not intended to protect locally synced data. And locally synced data is the responsibility of your computer account security. This is therefore not a THunderbird product vulnerability.
Take your pick from the following:
Bug 35308 - password and encrypting protecting for mail folders
Bug 318697 - Master Password should protect / prevent access to mail when starting thunderbird
Bug 16489 - Password Protection of Profiles
Group: mail-core-security
Whiteboard: [reporter-external] [client-bounty-form] [verif?]
Comment 2•6 years ago
|
||
Minusing for bounty. Thunderbird is a community project and not part of the bug bounty program.
Flags: sec-bounty? → sec-bounty-
Comment 3•6 years ago
|
||
Hmm, if I understood the video correctly, TB will retrieve IMAP messages using a stored password even if the password was changed on the server side. TB knows nothing about the password change, so if the server doesn't decline further access, it's a server-side problem. Surely after a restart you can no longer access new (not locally sync-ed) e-mail.
Comment 4•6 years ago
|
||
Yes, seems like a server problem. If account password changed the server should drop any existing and authenticated imap connections and then when tb makes new connection the tb password prompt will appear.
Tb restart or offline/online transition should also cause a pwd prompt.
Updated•6 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
Summary: Mozilla Thunderbird Potential Authentication Flaw → Thunderbird Potential Authentication Flaw - accesses mail with old password
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•