Potential disclosure of sensitive information in Netscape 7.0 email client. Overview: ================= Netscape 7.0 includes, as part of it's release, an email client, capable of handling POP3 and IMAP accounts. The method that the email client utilizes to permanently delete email messages is not explained, which could lead to users having large quantities of email messages, which they would think of as permanently deleted, still stored in clear text on their hard disks. Tested product: ================= Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 (from the About Netscape window) Description: ================= Netscape's email client stores received email messages in mailbox files, which are basically sequentially written ASCII text files. A second file is used to save the status of each individual message contained in the mailbox file (read, unread, flagged, etc.). When a user deletes an email message from, for example, his inbox folder within the email client, it is sent to the 'Trash' folder. The user can then right-click on this folder and select 'Empty trash' from the popup menu. In most instances of Windows-based applications, this action would permanently remove the contents of the trash folder, recycle bin, or appropriate substitute. In Netscape's email client, it does not. The deleted email messages are marked for removal in the status file which accompanies the mailbox file. It is only when the user chooses to compact the folder which contained the deleted email message (and not the trash folder!), that the deleted messages are permanently removed. Recovery of messages not permanently removed by compacting is trivial. A simple file-parsing VBScript is all that is needed to extract all individual messages from a mailbox file, and dump them as sepparate .eml files. The help system [1] that accompanies Netscape's email client states the following, under the section "Using Netscape Mail -> Deleting Messages": // BEGIN QUOTE "To delete messages from your Inbox or other folders, begin from the Mail window: 1.. In the message list, select the messages and click Delete. By default, Mail & Newsgroups moves the selected messages to the Trash folder. 2.. To delete messages permanently, open the File menu and choose Empty Trash." <........> "To delete messages permanently: a.. Open the File menu and choose Empty Trash." // END QUOTE It is misleading to state that to delete messages permanently, a user should just simply "Empty Trash". To give Netscape a mitigating factor, in an unrelated area of the help file (IMAP Server Settings), we find the following statement: // BEGIN QUOTE "When I delete a message: Choose the behavior you want for deleted messages. "Move it to the Trash folder" is recommended unless you are instructed to use a different setting by your system administrator or service provider. Messages marked as deleted are removed only when you compact folders." // END QUOTE However, such setting is NOT available, and it is NOT mentioned in any form for POP maiboxes. So, a user reading only about setting up options or using a POP account, would be unaware of this behaviour. He will not know that messages will only be permanently removed when the original folder is compacted, after the trash folder is emptied. Even if he read the IMAP section, he would have to make the connection between the two and realise about the problem. Possible solutions: ================= A setting in the email client configuration exists (Edit -> Preferences -> Offline & Disk Space Preferences) that allows to automatically compact the message folders when the disk space entered will be saved by said compacting. The default value for this setting is 100kB. This feature is NOT enabled by default in the tested Netscape installation. Optionally, use the popup menu which appears on right-clicking a folder to manually compact it, when sensitive messages have been deleted by sending them to Trash. Reproducing the problem: ================= A VBScript which will ask for an input Netscape mailbox file, and output individual .eml messages into a subdirectory called name_of_mailbox_eml is available for download at: http://www.sonar-security.com/files/netscape_email_converter.zip MD5 Sum: 202aebc3b3629303cd644f75f606dc15 You are encouraged to review with an appropriate editor the source code of downloaded scripts before executing them. Vendor status: ================= Netscape was notified of the problem on the 24th of December, 2002, via their online Security Bug Report Form, available at: http://help.netscape.com/forms/bug-security.html We haven't received a reply from Netscape, not even an automatic confirmation email of the bug report. References: ================= [1] Netscape 7.0 email help file, Copyright © 1994-2002 Netscape Communications Corporation. http://www.netstcape.com Michael Puchol Sonar Security mailto:mpuchol@sonar-security.com
