Closed
Bug 300426
Opened 19 years ago
Closed 19 years ago
Forward should not pull images from remote sites
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 300223
People
(Reporter: hickmott, Assigned: dveditz)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050514 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050514 Firefox/1.0.4 If the preference Advanced/Privacy/Block loading of remote images in messages is checked, forwarding a message with embedded remote images should not load those images. This is a security problem because phishing scammers could use this to verify that they have reached a real email address when you attempt to report the scam. Here's a specific example I just encountered: I was just sent an obvious phishing email (attached in the additional information field below) that tried to get my PayPal login information. PayPal's real site instructs you to forward phishing emails to spoof@paypal.com. When I did this, Thunderbird loaded the images in the message I was forwarding. I this case, no harm was done, but someone composing phishing email could easily include their own web bug image which would be triggered by forwarding their email, letting them know that they had found a real email address. Since part of the point of blocking remote images is to prevent just this kind of address confirmation, and since the one thing you say for sure about phishing scammers is that they are malicious, this is a real security problem. Reproducible: Didn't try Forwarding this phishing message to spoof@paypal.com loaded the remote images in the email: From - Mon Jul 11 21:19:20 2005 X-Account-Key: account2 X-UIDL: 909-1109848031 X-Mozilla-Status: 1001 X-Mozilla-Status2: 00000000 Received: from m1.dnsix.com ([172.18.12.132]) by vms052.mailsrvcs.net (Sun Java System Messaging Server 6.2 HotFix 0.04 (built Dec 24 2004)) with ESMTP id <0IJH0012YFK41C20@vms052.mailsrvcs.net> for hickmott@verizon.net; Mon, 11 Jul 2005 16:26:28 -0500 (CDT) Received: from m1.dnsix.com (63.251.171.165) by sv14.verizon.net (MailPass SMTP server v1.2.0 - 013105113116JY+PrW) with ESMTP id <2-10917-123-10917-214137-1-1121117188> for vms052pub.verizon.net; Mon, 11 Jul 2005 16:26:28 -0500 Received: from [65.254.35.34] (helo=web01.tjc.no) by m1.dnsix.com with esmtp (Exim 4.44) id 1Ds5nI-0001Rb-38 for hickmott@redbird.org; Mon, 11 Jul 2005 14:26:28 -0700 Received: from steve by web01.tjc.no with local (Exim 4.50) id 1Ds5mx-0005jI-4j for hickmott@redbird.org; Mon, 11 Jul 2005 23:26:07 +0200 Date: Mon, 11 Jul 2005 23:26:07 +0200 From: PayPal<paypal@email.paypal.com> Subject: Update Your Account Records To: hickmott@redbird.org Message-id: <E1Ds5mx-0005jI-4j@web01.tjc.no> MIME-version: 1.0 Content-type: text/html Content-transfer-encoding: 8BIT X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - web01.tjc.no X-AntiAbuse: Original Domain - redbird.org X-AntiAbuse: Originator/Caller UID/GID - [32128 32129] / [47 12] X-AntiAbuse: Sender Address Domain - web01.tjc.no X-Source: X-Source-Args: X-Source-Dir: <A href="http://www.paypal.com/cgi-bin/webscr?cmd=_home"><IMG src="http://www.paypalobjects.com/en_US/i/header/t1Hdr_hpGraphic_563x115.jpg" border=0></A> <TABLE cellSpacing=0 cellPadding=0 width=600 align=center border=0> <TBODY> <TR> <TD colSpan=3><IMG height=2 src="pp.files/pixel.gif" width=2></TD></TR></TBODY></TABLE> <P><FONT size=2><FONT face=Verdana>Dear valued <STRONG><STRONG><SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Verdana">PayPal<SUP>®</SUP></SPAN></STRONG> </STRONG>member</FONT>: <BR></FONT><BR></P> <P><FONT face=Verdana size=2>It has come to our attention that your <SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Verdana"><STRONG>PayPal<SUP>®</SUP></STRONG></SPAN> account information needs to be <BR>updated as part of our continuing commitment to protect your account and to <BR>reduce the instance of fraud on our website. </FONT><FONT face=Verdana size=2><FONT face=Verdana size=2> If you could please take 5-10 minutes <BR>out of your </FONT><FONT face=Verdana size=2> online </FONT><FONT face=Verdana size=2>experience and update your personal records you will not run into <BR>any future </FONT><FONT face=Verdana size=2>problems with the online service. <BR> </FONT></P> <P><FONT face=Verdana size=2>However, failure to update your records will result in account suspension. <BR>Please update your records on or before <FONT color=red><STRONG>July 13th, 2005</STRONG>.</FONT> <BR><BR>Once you have updated your account records, your <SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Verdana"><STRONG>PayPal<SUP>®</SUP></STRONG></SPAN> session will not be <BR>interrupted and will continue as normal. </FONT></P> <P><FONT face=Verdana size=2>To update your <SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Verdana"><STRONG>PayPal<SUP>®</SUP></STRONG></SPAN> records click on the following link: <BR></FONT><A href="http://68.178.144.18/account/CVS/.us/paypal/login.html"target=_self><FONT face=Verdana size=2>http://www.paypal.com/cgi-bin/webscr?cmd=_login-run</FONT></A></P> <P><FONT face=Verdana size=2></FONT> </P> <P><FONT face=Verdana size=2>Thank You. <BR><SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Verdana"><STRONG>PayPal<SUP>® </SUP><SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Verdana">UPDATE </SPAN></STRONG><SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Verdana"><STRONG>TEAM</STRONG></SPAN></SPAN> </P> <P><FONT face=Verdana size=2>Accounts Management As outlined in our User Agreement, <SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Verdana"><STRONG>PayPal<SUP>®</SUP></STRONG></SPAN> will <BR>periodically send you information about site changes and enhancements. </FONT></P> <P><FONT face=Verdana size=2>Visit our Privacy Policy </FONT><FONT face=Verdana size=2>and User Agreement if you have any questions. <BR></FONT><A href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside"><FONT face=Verdana size=2>http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside</FONT></A></P> <P> </P></FORM></FONT></FONT></BODY></HTML>
Comment 1•19 years ago
|
||
*** This bug has been marked as a duplicate of 300223 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•