Emails disclosure on Thunderbird

RESOLVED INVALID

Status

Thunderbird
Security
RESOLVED INVALID
5 years ago
4 years ago

People

(Reporter: Fabian Cuchietti, Unassigned)

Tracking

26 Branch
x86
Windows 7

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 798534 [details]
thunderbird-mail-disclosure.mp4

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)
Build ID: 20130814063812

Steps to reproduce:

Hello Mozilla Security,

I discovered an issue in "Earlybird / Thunderbird" Read mails without having an access password thunderbird, this allows full disclosure of emails a user. Attached a video as proof of concept.


Steps to reproduce:
Open Mozilla and go to the following directory:

file:///C:/Users/{PC-USER}/AppData/Roaming/Thunderbird/Profiles/j1k1jwpq.default/ImapMail/imap.googlemail.com/%5BGmail%5D.sbd/Todos

I have read the emails without having to get your password,

Regards.

Comment 1

5 years ago
(not security sensitive)
Group: core-security
Whiteboard: dupeme
(Reporter)

Comment 2

5 years ago
"Dupeme" what mean this?
(Reporter)

Comment 3

5 years ago
This issue is considered valid?
Thunderbird makes no promises to data security on the local machine and is not designed for multiple users from the same log in. If users are concerned about data security, they should use OS level protection, or other security applications to sandbox Thunderbird in a way that can only be accessed by password.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID

Updated

4 years ago
Whiteboard: dupeme
You need to log in before you can comment on or make changes to this bug.