Closed Bug 926018 Opened 11 years ago Closed 11 years ago

major glitch allows access to emails and settings without login

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
24 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 318697

People

(Reporter: thefirstmad, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release)
Build ID: 20130910160258

Steps to reproduce:

after my internet connection went down without my knowledge i happened to open my Thunderbird to check my mail. Imagine my surprise when it didn't ask me to input my password and allowed me full access to the program and settings.

As soon as the internet went online again the password box popped up and i no longer had access to emails/settings until i typed in my password.

After this i rebooted system to clear it and then proceeded to repeat the bug simply by disconnecting the LAN cable from the computer. I was again able to read emails /change settings until i plugged the cable back in and the password box popped back up.

rolled back 2 versions (only ones still in rollback options) and discovered it was in both of the previous release versions as well. I then dragged out an old computer with a 4 year old version on it and found the same bug.
 

Mad

 


Actual results:

Every time my system is disconnected from the net BEFORE loading Thunderbird free access is allowed to the emails and the email settings until the internet becomes active. This applies to:
1) manually unplugging LAN cable, 
2) killing wifi signal with interference or at source,
3) actual internet failure (ISP) 
4) disabling the internet connection(s) using system. 

After the internet connection is re-established, the login password box appears and denies all access until password is correctly entered.



Expected results:

Starting Thunderbird should have blocked all access to emails/settings until after security password was entered correctly rather then look for connection BEFORE displaying password box. Basically move the password lock point ahead of loading the components/email database in order to prevent exploitation of this bug
I'm not sure if this is functioning as expected or not. I've CCd a few people so maybe they can offer an opinion.
Unfortunately, the Thunderbird master password was never intended to offer this type of local-protection - it only protects your mail passwords, not the mail itself. It's a common source of confusion. Bug 16489 and bug 318697 are about adding such features.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.