Closed Bug 1504891 Opened 6 years ago Closed 6 years ago

Thunderbird Potential Authentication Flaw - accesses mail with old password

Categories

(Thunderbird :: Security, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: contact, Unassigned)

Details

(Keywords: reporter-external)

Hello, I am using Mozilla Thunderbird latest version for email management. I can see email content even though password changed. Steps 1. Visit https://mail.com/ 2. Click the "Log in" button and login 3. Open the Mozilla Thunderbird 4. Click the "Email" 5. Enter your name, e-mail address and password. Check Remember password and click Continue (Thunderbird automatically detects the correct server settings.) 6. Select IMAP and click Done. 7. To synchronize your e-mail and folders, click Get Mail 8. Send test email and try viewing 9. Go to mail.com panel and Click the security options 10. Change password 11. Password changed successfuly 12. Send again test email after password changed 13. You can see email content even though password changed Video: https://youtu.be/77irHhL35AU Thanks!
Flags: sec-bounty?
Group: firefox-core-security → mail-core-security
Product: Firefox → Thunderbird
mail account passwords are intended to authenticate to remote servers, not intended to protect locally synced data. And locally synced data is the responsibility of your computer account security. This is therefore not a THunderbird product vulnerability. Take your pick from the following: Bug 35308 - password and encrypting protecting for mail folders Bug 318697 - Master Password should protect / prevent access to mail when starting thunderbird Bug 16489 - Password Protection of Profiles
Group: mail-core-security
Whiteboard: [reporter-external] [client-bounty-form] [verif?]
Minusing for bounty. Thunderbird is a community project and not part of the bug bounty program.
Flags: sec-bounty? → sec-bounty-
Hmm, if I understood the video correctly, TB will retrieve IMAP messages using a stored password even if the password was changed on the server side. TB knows nothing about the password change, so if the server doesn't decline further access, it's a server-side problem. Surely after a restart you can no longer access new (not locally sync-ed) e-mail.
Yes, seems like a server problem. If account password changed the server should drop any existing and authenticated imap connections and then when tb makes new connection the tb password prompt will appear. Tb restart or offline/online transition should also cause a pwd prompt.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
Summary: Mozilla Thunderbird Potential Authentication Flaw → Thunderbird Potential Authentication Flaw - accesses mail with old password
You need to log in before you can comment on or make changes to this bug.