Bugtraq mailing list archives
Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
From: David Rasch <d.rasch () broadwick com>
Date: Thu, 02 Mar 2006 13:55:54 -0500
------------------------------------------------------------------------ Subject: Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities From: Steve Shockley <steve.shockley () shockley net> Date: Tue, 28 Feb 2006 18:57:57 -0500 To: Renaud Lifchitz <r.lifchitz () sysdream com> CC:full-disclosure () lists grok org uk, bugtraq () securityfocus com, security () mozilla orgRenaud Lifchitz wrote:Mozilla Thunderbird : Multiple Information Disclosure VulnerabilitiesThe css part of this "exploit" is actively used by Intellicontact (or whatever they call themselves this week), the host of the factcheck.org mailing list. For example:<LINK href=http://mail1.icptrack.com/track/relay.php?r=###&msgid==###&act=####&admin=0&destination=http://www.factcheck.org/styles/subpage_nn.css type=text/css rel=stylesheet>
<snip>
Reference: http://www.bucksch.com/1/projects/mozilla/108153/
Steve et al.,I'm most reminded of the adage 'never attribute to malice what can adequately be explained by a dumb regex [sic]'.
We here at IntelliContact had no idea that our software was applying the tracking we provide to our customers onto CSS references, much less that Thunderbird loaded these links regardless of general-user accessible security settings. The tracking information we put in emails is part of the value we provide to our customers (since our inception, always under the name of IntelliContact), but had/have no intention of exploiting security problems such as this to gain such information on their behalf. The foundation of our product is to facilitate communication between our customers and willing recipients (http://www.intellicontact.com/terms/anti-spam.php).
I've filed the issue mentioned above as a bug with my team and we'll get it fixed as soon as possible. I laud your attention to detail with this discovery and invite anyone with further concerns to contact me directly.
Thanks -- David C. Rasch, CTO Broadwick Corporation (919) 968-3996
Current thread:
- Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Steve Shockley (Mar 01)
- <Possible follow-ups>
- Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities David Rasch (Mar 03)