577105 - Without logging in, you can see and read any messages previously received

Status: RESOLVED DUPLICATE of bug 16489

(Thunderbird :: Security, defect)

Description

[mark]

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6

If you click the cancel logon several times, then try to Command-Q quit, there is small window of time where it is possible to mouse-click an inbox or local folder and then eventually to click or double-click a previously received message and be able to read it.  This effectively bypasses the security of the logon - permitting unauthorized persons to read the mail.  Each time you Command-Q while the logon prompt is up, there is a small window of time to do this before the logon prompt appears again.  Aside, is that you should be able to Command-Q and actually quit instead of sending the logon prompt again.

Reproducible: Always

Steps to Reproduce:
1. click CANCEL on logon prompt several times.

2. Do a Command-Q to quit and quickly mouse-click a folder or message - repeat until you get to a previously downloaded message.
3. Do a Command-Q to quit and quickly double-click a message - this will open the message in the "reader" window so that you can read it.
Actual Results:  
I was able to bypass the logon security and read previously received and stored in local folders - messages that should be secured.

Expected Results:  
It should not be possible to read anything (mail - even folder names) until the logon security has been satisfied and completed successfully.

Comment 1

[:Gavin Sharp [email: gavin@gavinsharp.com]]

See bug 547436 comment 1. The Master Password feature only protects your mail credentials, not the messages themselves. You shouldn't rely on it to prevent people from reading already-downloaded messages.