News
Vigil@nce: Thunderbird, Webmail, read detection via DNS Prefetch
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can send an HTML email containing a link to a customized domain name, in order to detect if the victim read the message.
Severity: 1/4
Consequences: data reading
Provenance: document
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 03/02/2010
IMPACTED PRODUCTS
Mozilla Thunderbird
Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The "DNS Prefetching" feature is used by web browsers to resolve domain names contained in an HTML page, before the user clicks on the link, so their loading is faster.
Several webmails do not disable this feature. So, when the user reads an email with his web browser, it tries to resolve domain names contained in the HTML page.
Moreover, Thunderbird resolves these names, even if the email is displayed as text.
An attacker can therefore for example send an email containing http://victim.attacker.dom/ to the victim. If the attacker’s DNS server receives a query to resolve victim.attacker.dom, the attacker can deduce that the victim read his email.
An attacker can therefore send an HTML email containing a link to a customized domain name, in order to detect if the victim read the message.
CHARACTERISTICS
Identifiers: 492196, 8836, VIGILANCE-VUL-9403
