Closed Bug 1521611 Opened 5 years ago Closed 5 years ago

Phishing Attack with special characters in Mozilla Thunderbird (spoofing e-mail sender)

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1506587

People

(Reporter: kontakt, Unassigned)

Details

Attachments

(4 files)

POC_1.jpg
312.91 KB, image/jpeg
Details
e-mail_name_16000_chars.txt
91.80 KB, text/plain
Details
POC_2.jpg
250.65 KB, image/jpeg
Details
POC_3.jpg
372.73 KB, image/jpeg
Details
Attached image POC_1.jpg

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Steps to reproduce:

  1. VULNERABILITY DETAILS:

I have identified the possibility of deceiving the user regarding the person who sent the e-mail.
An attacker using a "few" special characters is able to create a quite convincing image of the e-mail sender.

Actual results:

  1. PROOF OF CONCEPT:
    Step by step:
    a) The attacker wants to impersonate/spoof the e-mail address: spoofing@any.email
    b) The attacker on his e-mail sets the following payload in the "Display Name"/"Name and Surname" field:
    10000SpacesInName\u0020<spoofing@any.email>[64 x \u3000][15595 x \u3000][1 x \u0000]

Full name field is in file "e-mail_name_16000_chars.txt".

c) Then the attacker sends an e-mail to the victim of the attack.
d) The victim of the attack sees such an e-mail (picture: POC_1.jpg, POC_2.jpg and POC_3.jpg).

We can observe that even when a victim responds to an email he does not see a real email (POC_3.jpg).

3 special characters were used there:

  • 'IDEOGRAPHIC SPACE' (U+3000)
  • 'SPACE' (U+0020)
  • 'NULL' (U+0000)
  1. VERSION:
    a) PC
    Mozilla Thunderbird Version: 60.4.0
    Operating System: Windows 7 SP1 (fully updated)

Expected results:

  1. RECOMENDATION:
    All special characters should be properly filtered and cleaned before displaying. In addition, with long names in e-mail, it is recommended to use the display rule "X characters of the name ... <true@address.email>" - so that you always display the real e-mail address at the end.

====

If in any way I can help, please contact me.

Best Regards and thank you for your reply,
Artur

Attached image POC_2.jpg
Attached image POC_3.jpg

P.S. I'm sorry. In section "PROOF OF CONCEPT" should be:
10000SpacesInName\u0020<spoofing@any.email>[64 x \u3000][15595 x \u0020][1 x \u0000]

Keywords: sec-high
Severity: normal → major
Component: Mail Window Front End → Security

Already working on this in bug 1506587. (The WIP patch should already fix this particular test case.)

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Keywords: sec-high
Resolution: --- → DUPLICATE
Group: mail-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: