Closed Bug 300426 Opened 19 years ago Closed 19 years ago

Forward should not pull images from remote sites

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 300223

People

(Reporter: hickmott, Assigned: dveditz)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050514 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050514 Firefox/1.0.4

If the preference Advanced/Privacy/Block loading of remote images in messages is
checked, forwarding a message with embedded remote images should not load those
images.

This is a security problem because phishing scammers could use this to verify
that they have reached a real email address when you attempt to report the scam.

Here's a specific example I just encountered: I was just sent an obvious
phishing email (attached in the additional information field below) that tried
to get my PayPal login information. PayPal's real site instructs you to forward
phishing emails to spoof@paypal.com. When I did this, Thunderbird loaded the
images in the message I was forwarding. I this case, no harm was done, but
someone composing phishing email could easily include their own web bug image
which would be triggered by forwarding their email, letting them know that they
had found a real email address. Since part of the point of blocking remote
images is to prevent just this kind of address confirmation, and since the one
thing you say for sure about phishing scammers is that they are malicious, this
is a real security problem.

Reproducible: Didn't try




Forwarding this phishing message to spoof@paypal.com loaded the remote images in
the email:

From - Mon Jul 11 21:19:20 2005
X-Account-Key: account2
X-UIDL: 909-1109848031
X-Mozilla-Status: 1001
X-Mozilla-Status2: 00000000
Received: from m1.dnsix.com ([172.18.12.132])
 by vms052.mailsrvcs.net (Sun Java System Messaging Server 6.2 HotFix 0.04
 (built Dec 24 2004)) with ESMTP id <0IJH0012YFK41C20@vms052.mailsrvcs.net> for
 hickmott@verizon.net; Mon, 11 Jul 2005 16:26:28 -0500 (CDT)
Received: from m1.dnsix.com (63.251.171.165)
 by sv14.verizon.net (MailPass SMTP server v1.2.0 - 013105113116JY+PrW)
 with  ESMTP id <2-10917-123-10917-214137-1-1121117188> for
 vms052pub.verizon.net; Mon, 11 Jul 2005 16:26:28 -0500
Received: from [65.254.35.34] (helo=web01.tjc.no)	by m1.dnsix.com with esmtp
 (Exim 4.44)	id 1Ds5nI-0001Rb-38	for hickmott@redbird.org; Mon,
 11 Jul 2005 14:26:28 -0700
Received: from steve by web01.tjc.no with local (Exim 4.50)
 id 1Ds5mx-0005jI-4j	for hickmott@redbird.org; Mon, 11 Jul 2005 23:26:07 +0200
Date: Mon, 11 Jul 2005 23:26:07 +0200
From: PayPal<paypal@email.paypal.com>
Subject: Update Your Account Records
To: hickmott@redbird.org
Message-id: <E1Ds5mx-0005jI-4j@web01.tjc.no>
MIME-version: 1.0
Content-type: text/html
Content-transfer-encoding: 8BIT
X-AntiAbuse: This header was added to track abuse,
 please include it with any abuse report
X-AntiAbuse: Primary Hostname - web01.tjc.no
X-AntiAbuse: Original Domain - redbird.org
X-AntiAbuse: Originator/Caller UID/GID - [32128 32129] / [47 12]
X-AntiAbuse: Sender Address Domain - web01.tjc.no
X-Source:
X-Source-Args:
X-Source-Dir:


<A href="http://www.paypal.com/cgi-bin/webscr?cmd=_home"><IMG
src="http://www.paypalobjects.com/en_US/i/header/t1Hdr_hpGraphic_563x115.jpg"
border=0></A>&nbsp;  <TABLE cellSpacing=0 cellPadding=0 width=600
align=center border=0> <TBODY> <TR> <TD colSpan=3><IMG height=2
src="pp.files/pixel.gif"  width=2></TD></TR></TBODY></TABLE> <P><FONT
size=2><FONT face=Verdana>Dear valued&nbsp;<STRONG><STRONG><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: 
Verdana">PayPal<SUP>®</SUP></SPAN></STRONG>&nbsp;</STRONG>member</FONT>:&nbsp;<BR></FONT><BR></P>

<P><FONT face=Verdana size=2>It has come to our attention that
your&nbsp;<SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY:
Verdana"><STRONG>PayPal<SUP>®</SUP></STRONG></SPAN> account information
needs to be&nbsp;<BR>updated as part of our continuing commitment to
protect your account and to&nbsp;<BR>reduce the instance of fraud on our
website.&nbsp;</FONT><FONT face=Verdana size=2><FONT face=Verdana size=2>
If you could please take 5-10 minutes&nbsp;<BR>out of your </FONT><FONT
face=Verdana size=2> online </FONT><FONT face=Verdana size=2>experience
and update your personal records you will not run into&nbsp;<BR>any future

</FONT><FONT face=Verdana size=2>problems with the online
service.&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></P>

<P><FONT face=Verdana size=2>However, failure to update your records will
result in account suspension.&nbsp;<BR>Please update your records&nbsp;on
or before&nbsp;<FONT color=red><STRONG>July 13th,
2005</STRONG>.</FONT>&nbsp;<BR><BR>Once you have updated your account
records, your&nbsp;<SPAN style="FONT-SIZE: 10pt; COLOR: black; 
FONT-FAMILY: Verdana"><STRONG>PayPal<SUP>®</SUP></STRONG></SPAN> session
will not be&nbsp;<BR>interrupted and will continue as normal. </FONT></P>

<P><FONT face=Verdana size=2>To update your <SPAN style="FONT-SIZE: 10pt;
COLOR: black; FONT-FAMILY:
Verdana"><STRONG>PayPal<SUP>®</SUP></STRONG></SPAN> records click on the
following link:&nbsp;<BR></FONT><A
href="http://68.178.144.18/account/CVS/.us/paypal/login.html"target=_self><FONT
face=Verdana
size=2>http://www.paypal.com/cgi-bin/webscr?cmd=_login-run</FONT></A></P>
<P><FONT face=Verdana size=2></FONT>&nbsp;</P> <P><FONT face=Verdana
size=2>Thank You. &nbsp;<BR><SPAN style="FONT-SIZE:  10pt; COLOR: black; 
FONT-FAMILY: Verdana"><STRONG>PayPal<SUP>® </SUP><SPAN style="FONT-SIZE: 
10pt; COLOR: black; FONT-FAMILY: Verdana">UPDATE </SPAN></STRONG><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY:
Verdana"><STRONG>TEAM</STRONG></SPAN></SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

</P> <P><FONT face=Verdana size=2>Accounts Management As outlined in our
User Agreement, <SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: 
Verdana"><STRONG>PayPal<SUP>®</SUP></STRONG></SPAN>
will&nbsp;<BR>periodically send you information about site changes and
enhancements. </FONT></P> <P><FONT face=Verdana size=2>Visit our Privacy
Policy </FONT><FONT face=Verdana size=2>and User Agreement if you have any
questions.&nbsp;<BR></FONT><A
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside"><FONT
face=Verdana
size=2>http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside</FONT></A></P>

<P>&nbsp;</P></FORM></FONT></FONT></BODY></HTML>

*** This bug has been marked as a duplicate of 300223 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.