Can send mail from anyone without needing their password



13 years ago
12 years ago


(Reporter: mox11, Assigned: mscott)


Firefox Tracking Flags

(Not tracked)




13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060111 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060111 Firefox/

I found a way to send email from profiles of password secured users.
Thunderbird asks for their password but sends the email anyway when you click cancel.
I would be happy to walk you through step by step if needed.
This could be handy for getting raises or any number of problems the hack would like to create.
To resolve this just tighten the code to not allow mail to be sent without a password on accounts that have one.

Reproducible: Always

Steps to Reproduce:
1.Just add a profile by email address and server info (available from headers info or WhoIs)
2.Send the email using that profile.
3.Wait a couple seconds for it to send and canel the password request.

Actual Results:  
The email recipient gets an email from the hack thinking the email is from the person whose profile has been impersonated.

Expected Results:  
see above

The email should not have been sent if the password was not entered.
If Thunderbird is asking for a password it's because the server asked for the password, and if the server doesn't enforce that it's really not up to Thunderbird.

a step by step walkthrough might be helpful, as would collecting a processing log while you're doing this. See -- for sending mail you want the SMTP logs.

A wild guess might be that the account is set to retrieve mail automatically, and the password request is actually on retrieving mail from the POP or IMAP server. You can cancel that and only the retrieving of mail will be blocked. Sending mail talks to a SMTP server that manages its password--or even has none--completely separately. One easy way to test this is to open the account settings dialog, go to the server settings page, and make sure the two "Check for messages" boxes are UN-checked. Then rerun the test and see if you're asked for a password.

Some SMTP (sending) servers don't bother with passwords because it's trivial to forge mail that looks like it came from someone else. The main reason for using passwords is to make sure the server is not used by spammers, and that can sometimes be accomplished by ensuring that users are on the correct local network or some similar mechanism.

Anyway, the SMTP log as described in the link above will tell us what your server is requesting and if there's really a password request that's getting bypassed.
Assignee: dveditz → mscott
Whiteboard: [sg:needinfo]
Note that you don't need to send mail from someone's account to forge mail that appears to be from them. Only digital signing (and that requires a password) can prevent forgeries.
Group: security
Last Resolved: 12 years ago
Resolution: --- → INVALID
Whiteboard: [sg:needinfo]
You need to log in before you can comment on or make changes to this bug.