------------------------------------------------------------------------
Subject:
Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
From:
Steve Shockley <steve.shockley@xxxxxxxxxxxx>
Date:
Tue, 28 Feb 2006 18:57:57 -0500
To:
Renaud Lifchitz <r.lifchitz@xxxxxxxxxxxx>
CC:
full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx,
security@xxxxxxxxxxx
Renaud Lifchitz wrote:
Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
The css part of this "exploit" is actively used by Intellicontact (or
whatever they call themselves this week), the host of the
factcheck.org mailing list. For example:
<LINK href=http://mail1.icptrack.com/track/relay.php?r=###&msgid=
=###&act=####&admin=0&destination=http://www.factcheck.org/styles/subpage_nn.css
type=text/css rel=stylesheet>
<snip>
Reference: http://www.bucksch.com/1/projects/mozilla/108153/
Steve et al.,
I'm most reminded of the adage 'never attribute to malice what can
adequately be explained by a dumb regex [sic]'.
We here at IntelliContact had no idea that our software was applying the
tracking we provide to our customers onto CSS references, much less that
Thunderbird loaded these links regardless of general-user accessible
security settings. The tracking information we put in emails is part
of the value we provide to our customers (since our inception, always
under the name of IntelliContact), but had/have no intention of
exploiting security problems such as this to gain such information on
their behalf. The foundation of our product is to facilitate
communication between our customers and willing recipients
(http://www.intellicontact.com/terms/anti-spam.php).
I've filed the issue mentioned above as a bug with my team and we'll get
it fixed as soon as possible. I laud your attention to detail with this
discovery and invite anyone with further concerns to contact me directly.
Thanks
--
David C. Rasch, CTO
Broadwick Corporation
(919) 968-3996
