Vigil@nce: Thunderbird, Webmail, read detection via DNS Prefetch
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can send an HTML email containing a link to a
customized domain name, in order to detect if the victim read the
message.
Severity: 1/4
Consequences: data reading
Provenance: document
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 03/02/2010
IMPACTED PRODUCTS
– Mozilla Thunderbird
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The "DNS Prefetching" feature is used by web browsers to resolve
domain names contained in an HTML page, before the user clicks on
the link, so their loading is faster.
Several webmails do not disable this feature. So, when the user
reads an email with his web browser, it tries to resolve domain
names contained in the HTML page.
Moreover, Thunderbird resolves these names, even if the email is
displayed as text.
An attacker can therefore for example send an email containing
http://victim.attacker.dom/ to the victim. If the attacker’s DNS
server receives a query to resolve victim.attacker.dom, the
attacker can deduce that the victim read his email.
An attacker can therefore send an HTML email containing a link to
a customized domain name, in order to detect if the victim read
the message.
CHARACTERISTICS
Identifiers: 492196, 8836, VIGILANCE-VUL-9403
http://vigilance.fr/vulnerability/Thunderbird-Webmail-read-detection-via-DNS-Prefetch-9403