1597656 - With full access to the computer you can steal all accounts configured in Thunderbird with full access to passwords and settings

Status: RESOLVED INVALID

(Thunderbird :: Security, defect)

Description

[Paweł Ochałek]

Description of the attack.
The attack is possible directly on Thunderbird files. I came across the problem looking for the ability to transfer all mail to another PC and another system. To copy / steal all mail with full access and view of passwords, just search the Thunderbird drive. We focus on Thunderbird configuration data located in "... \ user_name \ AppData \ Roaming \ Thunderbird ".
We can copy the entire \ AppData \ Roaming \ Thunderbird \ directory, but we are interested in the most:
1. The "Profiles" catalog
2. File profiles.ini
The "Profiles" directory and the "profiles.ini" file are copied, for example, to a pendrive unless we have copied the entire \ AppData \ Roaming \ Thunderbird .
On another machine or virtual machine we install Thunderbird regardless of what version (the database with settings was successfully transferred from Thunderbird v. 52.9.1 to v 68.2.2) we go to the directory "... \ user_name \ AppData \ Roaming \ Thunderbird " and we remove the "Profiles" directory and the "profiles.ini" file.
Then, in their place, paste \ copy \ extract the directory "Profiles" and the file "profiles.ini". We can also replace the entire directory "... \ user_name \ AppData \ Roaming \ Thunderbird " with the one from the old machine.
(sometimes Thunderbird will not load the profile after launching, but this is not a problem. Just enter profiles.ini, read the appropriate path to the copied profile and copy it into the column in the profiles.ini file:
[Install_numery]
Default = (paste the path)
Locket = 1

and similarly stick the path in the installs.ini file:

[number the same as in profiles.ini]
Default = (paste the path)
Locked = 1

we close and save changes to both files)

Now we can run Thunderbird with full access to the victim's mail / old PC without confirming any passwords. After these activities, we have full access to all previously collected mail, the trash bin and its set options, its certificates and all passwords to each mailbox that was in the program on the old PC or the victim.
The only protection that protects against this type of data theft is the "Use master password" option but here you can also enter the password any number of times so we have an infinite number of attempts to crack this password locally with the appropriate program. The main password for the program should be with the option of blocking after a certain number of attempts and can be secured with variable keys, e.g. Google Authenticator.
On this attack / copy of all Thunderbird content ends we have full access to all copied / stolen mail on all configured Thunderbird boxes with the option of suspecting passwords to these mailboxes. The attack can be carried out on any Thunderbird, regardless of the version and type of configuration. All the tests I've managed to run so far have been the same - each configuration can be copied and run on a different PC.

Comment 1

[Kai Engert [:KaiE:]]

If I understand correctly, your attack requires that the attacker has physical access to the victim's computer, and the victim failed to use any protection mechanisms on the computer to prevent files on the computer from being accessed. (Please correct me, if I misunderstood.)

IIUC, this isn't a security issue in Thunderbird.

Once a user has physical access to an unprotected computer, software can no longer protect the user.