Thunderbird is a local (rather than a web-based) email application. But hackers can inject HTML tags into an email message and, once a user then replies to or forwards that message, the exploit is triggered. The vulnerability allows the attacker to execute malicious script code in the victim’s browser, resulting in script code injection, persistent phishing, client-side redirects and similar client-side attacks.
The researcher who submitted the vulnerability (and proof-of-concept exploit) to Mozilla under its bug bounty program said that the security controls and filters in the application can be easily evaded if an attacker decides to encrypt the payloads with base64 encryption and combine it with the <object> tag.
“By default, HTML tags like <script> and <iframe> are blocked in Thunderbird and get filtered immediately upon insertion,” the researcher said in a Vulnerability Labs posting. “While drafting a new email message, attackers can easily bypass the current input filters…and insert malicious scripts / code eg. (script / frame) within the emails and send it to the victims. The exploit gets triggered once the victim decides to reply back.”
He added, “These sorts of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete compromise of the end user system. The persistent code injection vulnerability is located within the main application.”
Mozilla has fixed the issue in the latest version of Thunderbird, and users should upgrade right away: the unfortunate thing is that exploitation of the persistent application vulnerability requires little user interaction – and the filter bypass and persistent script code inject web vulnerabilities can be exploited by remote attackers without any direct user interaction at all, and without privileged user account.