Closed
Bug 1751419
Opened 3 years ago
Closed 3 years ago
Ability to encrypt and protect full profile folder
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: fpesari, Unassigned)
Details
Steps to reproduce:
- Created two users with their respective home directories, let's call them A and B
- Configured an email address on Thunderbird, user A
- Copied the .thunderbird directory from /home/A to /home/B
- Ran chown to set the right permissions
Actual results:
- Opening Thunderbird from user B results in access to the email account configured by user A
I know that this behavior of profile directories is intended, however my doubt is this: if a malware* with read access to user A's home directory:
- Zips user A's .thunderbird directory into an archive
- Sends that archive to the attacker's own machine
- Extracts user A's .thunderbird directory into the attacker's own home directory
and then the attacker starts Thunderbird, will the attacker have access to user A's emails?
- or a regular program with a couple of rogue lines introduced by a packager who compromised it
Expected results:
IMHO, the profile directory should be encrypted and the attacker should be unable to import it on their own computer without knowing the master password. So, even if the attacker gained access to user A's .thunderbird directory, it would be unreadable junk.
|
||
Comment 1•3 years ago
|
||
If you a) have given user B access to the computer and b) given rights to read user A's data, then it is also c) it is within your power to either take away those rights or assist user A in encrypting said data.
Group: mail-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Component: Untriaged → Security
Resolution: --- → DUPLICATE
Summary: Insecure behavior regarding profile folders → Ability to encrypt and protect full profile folder
You need to log in
before you can comment on or make changes to this bug.
Description
•