312542 - Clicking 'no' in the scam warning opens page anyway

Status: RESOLVED FIXED

(Thunderbird :: Security, defect)

Description

[ch-world]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1

I did get an email scam from someone who wants get my ebay password. There is a
link to an IP which wants to be a copy of the ebay Site. After clicking on it, a
window opens where Thunderbird asks "... Are you sure you want to visit
81.116.144.178?" After clicking on no the page opens like by clicking on yes. I
don't know if it's important but the massges was in the trash.

Thunderbird Version: version 1.5 Beta 2 (20051006)

Reproducible: Sometimes

Steps to Reproduce:
1. Open a scam mail
2. Click a link
3. If Thunderbird ask you if you want to visit the page do "No"

Actual Results:  
Sometimes the page opens. But not all the time.

Expected Results:  
Not open the page ;)

Comment 1

[Magnus Melin [:mkmelin]]

Worksforme here.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b5) Gecko/20051015
Thunderbird/1.4.1 ID:2005101506

Comment 2

[Daniel Veditz [:dveditz]]

WFM with 1.5 beta 2 (20051006). What version are you using? your Firefox is from
that date, is your Thunderbird as well?

Do you get this behavior on all links when the phishing detector goes off, or
just this one?

Sometimes the phishy link gets opened if the link text is not a URL ("Click here
to activate") and the link host is not numeric, but in those cases I don't get
the "Are you sure" dialog. In the two dozen phishing links I just tried from my
trash (mixture of numeric addresses and not) I could not reproduce this problem.

Comment 3

[ch-world]

Attachment: the mail causing the problem

Comment 4

[ch-world]

Yes, thunderbird and firefox are both 20051006.
The scam warning was the first time with importet profile.

Comment 5

[Ray Booysen]

*** Bug 313321 has been marked as a duplicate of this bug. ***

Comment 6

[Ray Booysen]

New bug report reporting same issue. Reopening

Comment 7

[Wayne Ostrowercha]

The scam alert box seems to work properly when a phishing link is clicked from the Message Pane (F8), but exhibits the broken behavior when the link is clicked from an opened email. (1.5 Beta 2)

Comment 8

[Daniel Veditz [:dveditz]]

Ah ha! That's exactly it. The bug happens when opened from the messageWindow, but not from the message pane.

Comment 9

[Daniel Veditz [:dveditz]]

Attachment: Don't go to the scam page if user says "no"

I think this ought to go into rc1. It's a small, safe patch that makes messageWindow.xul match messenger.xul which works correctly. The cost of not taking it is a very visible failure in one of the high-profile new thunderbird features.

Comment 10

[Scott MacGregor]

Comment on attachment 200715 [details] [diff] [review]
Don't go to the scam page if user says "no"

that's odd, this is working for me.

If we respin RC1 again then we can pick this up. This is a pretty bad issue, I'll see if I can reproduce.

Ah I see the trick is to use the stand alone message window....Nice one Dan.

Go ahead and check this in now.

Comment 11

[Scott MacGregor]

Dan let's wait until I'm sure we're about to do a respin and then I'll land it. 

Comment 12

[Scott MacGregor]

I landed Dan's patch for this on the the branch and the trunk. Has no impact on Firefox.