Closed Bug 1777737 Opened 3 years ago Closed 3 years ago

seeing remote content

Categories

(Thunderbird :: Untriaged, defect)

Product:
Thunderbird
Component:
Untriaged
Version:
Thunderbird 91
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: teslaenergy, Unassigned)

Details

Attachments

(1 file)

email.zip
521.47 KB, application/zip
Details
Attached file email.zip

Steps to reproduce:

just received the email

Actual results:

i could view remote content when it says its blocked i think its following some kinda remote link like http://website.com/picture and it does not have an extension.

Expected results:

the pictures would normally be blocked

Content-Disposition: inline looks like this is not blocked

clay, can you please explain why you consider this as remote content being displayed?

The purpose of remote content blocking is to prevent a dynamic access to an external site, because this could be used to track the email recipient, and allow the attacker to learn that an email to an address was indeed received.

If the images are fully embedded in the email, we should not trigger a connection. It seems to me, viewing your example email does not trigger a remote connection.

Can you please explain what risk you see here?

Flags: needinfo?(teslaenergy)

exploits in different image formats are possible. also it could exploit the human aspect of it from spam and being surprised by what your seeing.

there are also other things to consider such as zero width characters too https://stegcloak.surge.sh/

Flags: needinfo?(teslaenergy)

I'm not yet convinced that this is a security issue with Thunderbird.
Let's structure this, because you are mentioning different aspects.

(1) Bugs in image processing.

You're worried about the potential risk that an image could trigger a bug in Thunderbird's image processing code.

This risk is not related to remote content blocking.
If there's really a bug in image processing, that bug would equally apply after a user has approved loading a remote image.
(This is the scenario when an HTML email contains an image from a remote location.)

If a user is really worried about this risk, they have the choice to configure to always show emails as plain text, which ignores all included and remote images. (Menu: View, message body as, plain text).

(2) Showing an included image by default

I think this is acceptable and is by design.
If you receive spam, the spam content can be equally present using text or an image.

(3) Text steganography

Why do you consider the functionality offered by stegcloak a problem for Thunderbird users?

If there are additional invisible characters in an email, and we don't render them as intended, what's the problem for the user?
If anyone wants to play with that for attempt to hide a text, why not let them do it?

Flags: needinfo?(teslaenergy)

I'm resolving this as invalid for now. If we get convincing arguments, we can reopen.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID

not only can it show inline image content but can run javascript too.

Flags: needinfo?(teslaenergy)

(In reply to clay from comment #6)

but can run javascript too.

Have you actually seen javascript being executed?

Because we assume it's turned off.

https://mailtimers.com/ this was used and it seems to script something ? i doubt its just a gif image

oh i see its just a gif, with option to connect to remote server for actual timer

remove sec-sensitve?

Flags: needinfo?(mkmelin+mozilla)

Yes.

Group: mail-core-security
Flags: needinfo?(mkmelin+mozilla)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: