Closed
Bug 305204
Opened 19 years ago
Closed 5 years ago
Improve From: display in brief headers to avoid spoofing potential
Categories
(Thunderbird :: Message Reader UI, enhancement)
Thunderbird
Message Reader UI
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: mrsoto, Unassigned)
References
Details
(Whiteboard: [dupeme])
Attachments
(3 files)
3pane window
User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.7.8) Gecko/20050718 Firefox/1.0.4 (Debian package 1.0.4-2sarge1) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.7.8) Gecko/20050718 Firefox/1.0.4 (Debian package 1.0.4-2sarge1) When the [-] symbol is selected in mail's header section in order to gat a tiny header, email specialed constructed allow pishing attack I've several email that came from service@paypal.com <service@mythtv.lan> and the main window display it as service@paypal.com I beleve that if display part of an email has "@" symbol, it should be displayed complete or forget display part. Reproducible: Always Actual Results: service@paypal.com Expected Results: service@paypal.com <service@mythtv.lan> or <service@mythtv.lan> I select Critical because We can lost $, not data.
Header example: From - Fri Aug 19 09:49:00 2005 X-Account-Key: account2 X-UIDL: 48347df24b1d1575161d7ff827bf79b1 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Apparently-To: xxxx@yahoo.com via 68.142.200.102; Thu, 18 Aug 2005 18:35:47 -0700 X-YahooFilteredOver: 160.80.216.93 X-Originating-IP: [160.80.216.93] Return-Path: <admin@sogaula26server.sogaula26server> Authentication-Results: mta177.mail.mud.yahoo.com from=mythtv.lan; domainkeys=neutral (no sig) Received: from 160.80.216.93 (EHLO SOGAula26Server) (160.80.216.93) by mta177.mail.mud.yahoo.com with SMTP; Thu, 18 Aug 2005 18:35:47 -0700 Received: by SOGAula26Server (Postfix, from userid 501) id D46BC7738A1; Thu, 18 Aug 2005 21:57:20 +0200 (CEST) To: mrsoto@yahoo.com Subject: Your account will be suspended! From: service@paypal.com <service@mythtv.lan> Content-Type: text/html Message-Id: <20050818195720.D46BC7738A1@SOGAula26Server> Date: Thu, 18 Aug 2005 21:57:20 +0200 (CEST)
|
||
Comment 2•19 years ago
|
||
(In reply to comment #0) > I select Critical because We can lost $, not data. That's not a valid criterion. If you're that concerned about being spoofed, you should be reading the address filled in when you click Reply, and you shouldn't run with collapsed (brief) headers. See also bug 251279.
Severity: critical → enhancement
Summary: The @ symbol in email's display part is not informed when one line header view is activated → Improve From: display in brief headers to avoid spoofing potential
Version: unspecified → Trunk
|
||
Comment 4•18 years ago
|
||
Coming from bug #325417, here's some more info : When vieweing headers as "normal", only display name is shown. No tooltip (the request in bug #325417). In TB 2.0.0.0 (20070326) I've noticed the following: right-click on display name opens a context menu, and the first item is the email address. However, the multi-pane window and the single message window behave differently, see attachements.
|
|
||
Comment 5•18 years ago
|
||
the actual email that comes with the display name is visible in the context menu. see attachement context1, green border.
|
|
||
Comment 6•18 years ago
|
||
See attachement context2, in context menu there is no email displayed. Compare to attachement context1.
|
||
Updated•18 years ago
|
QA Contact: front-end
|
||
Updated•16 years ago
|
Assignee: mscott → nobody
|
||
Comment 7•16 years ago
|
||
> I've several email that came from
>
> service@paypal.com <service@mythtv.lan>
>
> and the main window display it as
>
> service@paypal.com
>
> I beleve that if display part of an email has "@" symbol, it should be
> displayed complete or forget display part.
I think it should be more general than that: If the From address isn't in our address books then *always* show the Full Name + the email address when using Brief Headers.
Currently, if using Brief Headers, TB3.0b2 doesn't show the email address of unknown senders (neither in the header pane nor in the thread pane) and I think that's not good.
|
||
Comment 8•7 years ago
|
||
potential duplicates / related from bug query https://mzl.la/2gvb5XY bug 53703 bug 913346 bug 911236 bug 973799 bug 1131817
|
|
||
Updated•7 years ago
|
Component: Mail Window Front End → Message Reader UI
|
||
Comment 9•6 years ago
|
||
The from address is displayed correctly as service@paypal.com <service@mythtv.lan> for me, both with "Show only display name for people in my address book" checked and unchecked. I see this in the thread pane and in the message pane.
If the address is in my address book and I have the option checked, it ignores the specified display name and takes the display name from the address book.
The [-] sign isn't available in Thunderbird anymore, it is now in the CompactHeader add-on, but there it also shows service@paypal.com <service@mythtv.lan>
|
|
||
Comment 10•5 years ago
|
||
Suspect we have another bug report which covers this
Flags: needinfo?(kaie)
Whiteboard: [dupeme]
|
||
Comment 12•5 years ago
|
||
Based on comment 9, this bug was in a classic, optional display mode, which allowed a compact header display.
If this behavior is no longer part of Thunderbird, then this bug is invalid.
You'd probably have to report this issue to the maintainer of that add-on.
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(kaie)
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•