| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 02 Mar 2006 13:55:54 -0500 From: David Rasch <d.rasch@...adwick.com> To: bugtraq@...urityfocus.com Cc: steve.shockley@...ckley.net Subject: Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities > > ------------------------------------------------------------------------ > > Subject: > Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities > From: > Steve Shockley <steve.shockley@...ckley.net> > Date: > Tue, 28 Feb 2006 18:57:57 -0500 > To: > Renaud Lifchitz <r.lifchitz@...dream.com> > > CC: > full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, > security@...illa.org > > > Renaud Lifchitz wrote: >> Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities > > The css part of this "exploit" is actively used by Intellicontact (or > whatever they call themselves this week), the host of the > factcheck.org mailing list. For example: > > <LINK href=http://mail1.icptrack.com/track/relay.php?r=###&msgid= > =###&act=####&admin=0&destination=http://www.factcheck.org/styles/subpage_nn.css > type=text/css rel=stylesheet> > <snip> > Reference: http://www.bucksch.com/1/projects/mozilla/108153/ > Steve et al., I'm most reminded of the adage 'never attribute to malice what can adequately be explained by a dumb regex [sic]'. We here at IntelliContact had no idea that our software was applying the tracking we provide to our customers onto CSS references, much less that Thunderbird loaded these links regardless of general-user accessible security settings. The tracking information we put in emails is part of the value we provide to our customers (since our inception, always under the name of IntelliContact), but had/have no intention of exploiting security problems such as this to gain such information on their behalf. The foundation of our product is to facilitate communication between our customers and willing recipients (http://www.intellicontact.com/terms/anti-spam.php). I've filed the issue mentioned above as a bug with my team and we'll get it fixed as soon as possible. I laud your attention to detail with this discovery and invite anyone with further concerns to contact me directly. Thanks -- David C. Rasch, CTO Broadwick Corporation (919) 968-3996
Powered by blists - more mailing lists