Closed Bug 839856 Opened 11 years ago Closed 8 years ago

Emails with remote content viewable cannot stop showing remote content

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
17 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: britfox42, Unassigned)

Details

(Keywords: csectype-disclosure, privacy, sec-low)

Attachments

(2 files, 1 obsolete file)

screenshot
334.75 KB, image/png
Details
eml file
11.20 KB, text/plain
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20130201065344

Steps to reproduce:

Clicked on a new email.

The beginning of the email source look like this:

------=_Part_4808692_641008542.1359558263055
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-ecm-part-format: email-html

<html><body><img src=3D"http://foru.votreactuwelcome.com/tr/p.gif?uid=3D345=
8745102&mid=3D874512036&msd=3D1485036740215" width=3D"1" height=3D"1" /><ce=
nter>

<table>
<tbody><tr><td>
<img src=3D"http://img.natexo.fr/dealexclusif/2013-01-24/images/logo-deal-e=
xclusif.png" alt=3D"Deal exclusif" border=3D"0" height=3D"80" width=3D"600"=
>
</td></tr>
</tbody></table>


Actual results:

Pictures were loaded without any warning.
I guess it's because of the "3D" in the "img src" part.

What's annoying is that the spammers are using the p.gif picture to identify me, if i've opened the mail or my approximative location.


Expected results:

Pictures shouldn't have been loaded.
Correction:
It's not because of the "3D" in the "img src" part...
is Thunderbird marking this as spam mail or is hotmail?
Flags: sec-bounty?
This email isn't on my hotmail account and Thunderbird isn't marking this as spam.
It just load the pictures while it shouldn't.

But I've forgotten something in the email source...
And it's interesting since there are multiples parts formats ("X-ecm-part-format: email-text" and "X-ecm-part-format: email-html"

So, here is the beginning just after the header:

------=_Part_4808692_641008542.1359558263055
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-ecm-part-format: email-text

1500 euros de bon d achat =C3=A0 valoir dans votre supermarch=C3=A9
=20
Vous aurez =C3=A0 tout moment la possibilit=C3=A9 de ne plus recevoir les s=
=C3=A9lections du programme Deal Exclusif

> Je ne souhaite pas recevoir les s=C3=A9lections des partenaires de Deal E=
xclusif

Nous vous remercions de votre confiance et de votre fid=C3=A9lit=C3=A9 !
------=_Part_4808692_641008542.1359558263055
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-ecm-part-format: email-html

<html><body><img src=3D"http://foru.votreactuwelcome.com/tr/p.gif?uid=3D345=
8745102&mid=3D874512036&msd=3D1485036740215" width=3D"1" height=3D"1" /><ce=
nter>

<table>
<tbody><tr><td>
<img src=3D"http://img.natexo.fr/dealexclusif/2013-01-24/images/logo-deal-e=
xclusif.png" alt=3D"Deal exclusif" border=3D"0" height=3D"80" width=3D"600"=
>
</td></tr>
</tbody></table>
And the Content-Type is also different in each parts(text/plain and text/html).
(In reply to britfox42 from comment #3)
> This email isn't on my hotmail account and Thunderbird isn't marking this as
> spam.
> It just load the pictures while it shouldn't.
> 

I think I see what your commenting about; the issue is that remote images are being loaded without a prompt?

The config that controls this is
     mailnews.message_display.disable_remote_image;true 
If set to true remote images should be blocked, unless the domain is in the config
     mail.trusteddomains
-OR- 
If the sender you are receiving the mail from has the "Allow remote content" set in the address book.
"I think I see what your commenting about; the issue is that remote images are being loaded without a prompt?" -> Exactly :)

The config is set like this (using the about:config window):
mailnews.message_display.disable_remote_image;true
mail.trusteddomains; (empty)

And my adress book is empty too.
Component: Untriaged → Security
Summary: Some spam mail pictures are loaded without any warning → remote images loaded without prompt
An other interesting quote from the mail header:

Content-Type: multipart/alternative; 
	boundary="----=_Part_4808692_641008542.1359558263055"
We really need the entire source of the mail, including all the attachments/parts. It's impossible to tell from partial quotes. Please save the mail to a file and then add it as an attachment to this bug (please don't paste it into a comment, that's hard to deal with and will lose some of the formatting/line-breaks).

Are any of the attachments images? A lot of spam uses in-line images, and those WILL be displayed by Thunderbird since they are not "remote". Those wouldn't be the ones you listed above with obvious http: urls though.
Flags: needinfo?(britfox42)
There's no attachment at all.

I've saved the mail into an eml file and added it as an attachment to this bug.
Flags: needinfo?(britfox42)
Attached file eml file (obsolete) — 

    
    

    
  
Can you attach a screenshot of the email in Thunderbird? I've just loaded that here, and I'm not seeing any obvious remote images being loaded.

    
    

    
  

      
      
      
      

        Attached image
          
        screenshot
      

    


  

    
    

    
  
The remote images aren't loaded by Thunderbird when I open a .eml file of this particular mail.

    
    

    
  

      
      
      
      

        Attached file
          
        eml file
      

    


  

        Attachment #714009 -
        Attachment is obsolete: true

    
    

    
  
I've others mails inside the same directory but the remote images are well blocked.

        Attachment #714073 -
        Attachment mime type: application/octet-stream → text/plain

    
    

    
  
Haven't reproduced this yet...
Keywords: csec-disclosure, 
          
            privacy, 
          
            sec-moderate

    
    

    
  
unable to reproduce and seems like sec-moderate if it could.  marking non-qual for bug bounty.
Flags: sec-bounty? → sec-bounty-

    
    

    
  
@britfox42 I really wonder if you accidentally selected the "Allow Remote images" or "Allow Remote images for this sender" option which is why you're getting the case of the one particular email showing remote images.

I think to really explain/reproduce this, we'd need the files associated with the folder on disk. For example, you could:

1) Create a new folder, and drag the email there which reproduces the issue (and check it still reproduces once in that folder).

2) Go into your profile [1] and look for the *Mail sub-directories, and in one of those should be the folder you just created.

Attach the folder and its .msf file to this bug, or send to me directly.

It may also be useful to ensure that the email address of the sender of the email is not in your address book, or if it is in your address book that it does not have "allow remote images" enabled.
Flags: needinfo?(britfox42)

    
    

    
  
It doesn't load the remote image after i've copied the email file (which contain the spam in question) and renamed it.

I had probably selected the "Show the content now" ("Afficher les contenus maintenant" in french) option.

But it seems the option is stocked into the .msf file which was created after restarting Thunderbird and it doesn't ask to show the content anymore.

I think it could be clever to make it works only ONE time.

Because it's like allowing to load the content forever for this particular email.
And there's no way to disallow that except by deleting the .msf file.
Flags: needinfo?(britfox42)

    
    

    
  
Thanks for the response. I'm sure there's a bug around somewhere on being able to turn off showing remote content for a particular email, but I can't find it. I'd like to see if Wayne can find this bug hence requesting info from him.

I can understand the only showing remote content one time, but I think there's going to be some set of people who would want that saved. Which would make this a complex ui option.

Also, downgrading to sec-low, but I'm not sure this is a security bug anymore.
Flags: needinfo?(vseerror)
Keywords: sec-moderatesec-low
Summary: remote images loaded without prompt → Emails with remote content viewable cannot stop showing remote content

    
    

    
  
I need to hand off because of time pressures ... hopefully someone else can carry the ball :)
Flags: needinfo?(vseerror)

    
  
Flags: needinfo?(rsx11m.pub)
Flags: needinfo?(jsabash)

    
    

    
  
Sorry, I'm unable to reproduce this. The message in attachment 714073 [details] shows up without any remote content for me and the "Show Remote Content" button is present as it should.

Looking at the message itself doesn't seem to reveal anything specific with it either that would hint towards bypassing that mechanism.

Since the reporter doesn't see the issue with the exported .eml message either, it's not a matter of white-listing senders or domains but rather related to the message itself and its local status in the folder.

I don't know if the content-policy flags are stored in the X-Mozilla-Status headers or the .msf files (neither is exported with a saved message), but that would be the next point of investigation.

Having said that, I've seen reports in the past that the "Show Remote Content" button isn't showing up as intended for some messages (no specific pointer to a bug report here), thus it could be either accidental approval of remote images or a different manifestation of that related issue.
Flags: needinfo?(rsx11m.pub)

    
    

    
  
Comment on attachment 714073 [details]
eml file

>X-Mozilla-Status: 0001
>X-Mozilla-Status2: 00000000

Ok, the internal status headers /are/ indeed present here, but there's nothing suspicious about those flags.

    
    

    
  
(In reply to rsx11m from comment #22)
> Sorry, I'm unable to reproduce this. The message in attachment 714073 [details]
> [details] shows up without any remote content for me and the "Show Remote
> Content" button is present as it should.

Please read comment 20, the request wasn't about reproducing, but finding an existing similar bug.
Flags: needinfo?(rsx11m.pub)

    
    

    
  
(In reply to Mark Banner (:standard8) from comment #20)
> I'm sure there's a bug around somewhere on being able to turn off showing
> remote content for a particular email, but I can't find it.

I don't think that I understand exactly what you are looking for. By default, showing remote content is off for a message unless explicitly enabled. If that's done for the message only rather than by sender (for which an Address Book entry would be added in this case), there is bug 626988 - In some messages, it is not possible to revoke remote image permissions.

(In reply to rsx11m from comment #22)
> Having said that, I've seen reports in the past that the "Show Remote
> Content" button isn't showing up as intended for some messages

I couldn't find any recent example for these cases (all duped or marked fixed), or anything similar to what's described here (i.e., automatic loading with remote content without prior approval to do so).
Flags: needinfo?(rsx11m.pub)

    
  
Flags: needinfo?(jsabash)
Group: mail-core-security
Group: mail-core-security

    
  
Group: core-security → mail-core-security

    
    

    
  
WFM for me too.
Group: mail-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: