Closed Bug 1670739 Opened 3 years ago Closed 3 years ago

Thunderbird displays the date of a message based on the potentially malicious Date header

Categories

(Thunderbird :: Message Reader UI, enhancement)

Product:
Thunderbird
Component:
Message Reader UI
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: me, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0

Steps to reproduce:

I sent a backdated message, in which the date in the Date header is over one year old, to my inbox. (Both the outgoing mail server and the incoming mail server belong to reputable email service providers, which don't prevent this behavior.)

Actual results:

Thunderbird in version 68.12.1 sorts and displays messages based on the origination date header (https://tools.ietf.org/html/rfc5322#section-3.6.1). This field is sender- and thus attacker-chosen. While the severity is not critical, I think Thunderbird's design decision allows for considerable misuse in the context of social engineering. For example, a scammer can backdate financial predictions and reference such messages in a current email. Unless you view the source of the message and inspect the Received headers, ordinary users might fall for the scammer's trick as they have no reason not to trust what Thunderbird displays to them. Other misuse is backdating a message to meet a passed deadline.

Expected results:

Apple Mail and the Gmail's Web interface don't have this problem. I assume they take the date of the uppermost Received header, which is generated by the mail server of the user and is thus way more trustworthy. At the very least, I would expect that Thunderbird displays both dates in the message view and labels them with "Sent date" and "Received date" if the dates are more than one hour (or some other threshold) apart.

Please let me know in the next 30 days whether you treat this as a security incident. If I don't hear back from you by mid-November, I will disclose this issue in a long article about email in general.

If you want the received date in display, you can choose to show the Received column, which does that.
Yes, spam many times arrive with wrong dates. No need to keep this security restricted.
Trying the trick you mention would easily get you caught, so not a very good trick.

Group: mail-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Component: Untriaged → Message Reader UI
Resolution: --- → WONTFIX

Thanks, I didn't know about the Received column. However, for all my emails, including the backdated ones, this column shows the same (spoofed) date and time as the Date column. (Tested with Thunderbird 68.12.1 on macOS.) (And if it worked, why not make this column the default? And if Thunderbird already determines the received date, why not show it in the message view as well?)

For me, this issue is serious enough that it had to be your call to disclose it, not mine (especially given that Thunderbird's behavior deviates from what other mail clients do for presumably good reasons). The only reason I reported it was to let you make this decision, which you now did.

The thing with scams it that they just have to work a tiny fraction of times to be worthwhile (and cause a lot of damage for the people who fell for it). Only a fraction of people use Thunderbird. But among Thunderbird users, I'd expect that a majority doesn't know about Received headers and how to check them.

Given how little effort it is to address this issue, I'm a bit surprised by the "won't fix". I respect your decision and don't care much about it, since Thunderbird is not my main mail client, but if protecting its users isn't Thunderbird's main value proposition, what is it? (No answer needed.)

I guess you use IMAP, see bug 402594.

Yes, thanks for the clarification.

Here is my write-up of this issue: https://explained-from-first-principles.com/email/#origination-date

You need to log in before you can comment on or make changes to this bug.