Closed Bug 1928863 Opened 1 month ago Closed 1 month ago

Unprotected Deep Link Allows Unauthorized App Access to Messages - Thunderbird: Free Your Inbox Android App

Categories

(Thunderbird :: Untriaged, defect)

defect

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: bayronkentoy, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Safari/605.1.15

Steps to reproduce:

  1. Install Thunderbird: Free Your Inbox Version 8.0 on your Android Phone
  2. Create a simple Android app that initiates an Intent targeting the exposed deep link.
intent.setData(Uri.parse("k9mail://messages"));
startActivity(intent);```
3. Upon launching, the app will open the deep link in the Thunderbird application without user authentication, displaying the user’s message
4. I created a simple Android app to demonstrate this vulnerability. Please refer to the attachments for the app. Additionally, I have provided a video proof-of-concept to demonstrate the vulnerability in action, highlighting how an unauthorized app can access sensitive messages from the target application.


Actual results:

The Thunderbird android application has an unprotected "k9mail://messages" deep link that allows any third-party app to access sensitive user messages without proper authentication or authorization. This vulnerability exposes user messages to any app with associated with the deeplink.


Expected results:

The app should validate the request’s source and authenticate the user before showing messages and add intent filters with permissions in AndroidManifest.xml to restrict access.

I'm sorry, my report formatting got messed up with the markdown. By the way, here’s the proof-of-concept video, uploaded to YouTube as an unlisted link. PoC

  1. Using k9mail://messages in the data field of the intent used to launch the app does nothing. You might as well not set it.
  2. What exactly do you believe to be the problem? That you can launch an activity from Thunderbird for Android that appears in the context of another app? That might be a way to confuse the user. But it doesn't allow another app access to the data stored inside Thunderbird for Android.

Thank you for the response! The concern is not simply that k9mail://messages launches an activity, but rather that this deeplink allows external apps (like mine) to access and display messages data from the Thunderbird app. Specifically, when this deeplink is triggered, it retrieves and displays the messages data intended only for the Thunderbird app's users.

I think you're misunderstanding the mechanism you're using. It's not your app that is loading and displaying the data. It's still the Thunderbird app. It's just that the activity is displayed in the UI task of your app. Like I said, that might be confusing to the user. But it doesn't give your app access to any of Thunderbird's data.

Thank you for the clarification! I understand that Thunderbird itself is responsible for displaying the data, and that the deeplink does not directly transfer data into my app. However, the issue here is that, by using this unprotected deeplink, Thunderbird's sensitive data (such as personal messages) is exposed within my app's task context without any user authentication or verification.

From the user’s perspective, it appears as though my app can directly display or access their private messages from Thunderbird, potentially misleading them about the privacy of their data.

I don't consider this a security issue. If you feel this should be changed, please open an issue in the bug tracker for Thunderbird for Android: https://github.com/thunderbird/thunderbird-android/issues/new/choose

Status: UNCONFIRMED → RESOLVED
Closed: 1 month ago
Resolution: --- → INVALID
Group: mail-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: