819333 - copied HTML links attach local files without user notice

Status: RESOLVED DUPLICATE of bug 819171

(Thunderbird :: Security, defect)

Description

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

reported to sec@ by gary_AT_quollwriter.com
----------------//----------------
This report relates to: Thunderbird 16.0.2 on Windows 7 but it may not be version or platform specific.

The issue is that Thunderbird, when sending a HTML email, will send local files from your computer (and it may well work for network drives) in the email without user intervention.  There is no indication that the file is being sent nor, on the received email (so if you BCC yourself) that there are attachments.

For example use the link below:

Click me to view the file


The HTML was copied from a web page and pasted into this email.  At no point was I asked if I wanted the file to be attached, this is done automatically.   The file url is a full path to the file on the local drive.

It is not difficult to see how, with a little social engineering this could be used to extract files from a users machine and sent to the attacker, for example: "Visit our web page, copy the link then send it to X".  There may even be automatic ways to do it, if Thunderbird allows for HTML in mailto links.  You'll notice that in the source of the email the file has been Base64 encoded, I don't know if this would help malicious files bypass virus scanners.

This mechanism could also be used as a vehicle for attack code since the file in the link could be an executable, Thunderbird asks you to choose an application to open it but less savvy users may not notice.  For example I tried sending myself a file from C:/Windows/System32 and it sent the file but asked for an application to open it.

I believe this feature needs user intervention, asking them what their preference is (since it is useful in certain circumstances).  Also the files need to be exposed as attachments so you know you have sent them.

Thanks,

Gary Bentley