After waiting more than two years for a flaw to be fixed, a researcher publicly disclosed a security bug in the Thunderbird email client. Do you use the free email client Thunderbird? Do you also use Tor? If so, then you should know there’s been a security flaw awaiting a fix from Mozilla for over two years; now the bug has been publicly disclosed. Mike Cardwell, a developer, IT consultant, sysadmin and security researcher in the UK, informed the Tor-talk mailing list about a security issue in the Thunderbird app.Normally, when you click on a link in email, the link opens in your default web browser. Hopefully, you’ve all but weaponized your browser with extensions and addons to better protect your privacy and security. If you are using Tor, then you’re going to a bit more trouble to protect yourself, and you don’t want your defenses bypassed. However, when blogging more details about the security leak in Thunderbird, Cardwell explained: “I’ve discovered a way of crafting a link such that when you’re using Thunderbird and you click on that link, it opens the website in a new Thunderbird tab instead of in the external web browser.”In Cardwell’s case, his “browser of choice is Firefox.” He wrote:I have made various configuration changes and installed various addons in Firefox to enhance my security and privacy. Amongst other things, I use RequestPolicy, NoScript, RefControl, AdBlock, CipherFox, HTTPS-Everywhere, I have proxy settings and sometimes I use Tor. If a link opens in a Thunderbird tab instead of a Firefox tab, all of those defenses are bypassed.Secondly, when the external website opens in a Thunderbird tab, there is no identifying chrome around the page which would allow the user to differentiate between a tab containing any other part of the Thunderbird interface and a malicious site which is spoofing part of the Thunderbird interface.Then Cardwell laid out the details: The email must contain a text/html part. That text/html part must contain an anchor embedded in an inline SVG [Scalable Vector Graphics]. That anchor tag must have either the target attribute set to “_blank”, or the “xlink:show attribute set to “new”. Example:With normal anchor tags you can right click on a link and then select “Copy Link Location” from the context menu and paste it into the web browser. However, that option is not available in the context menu when right clicking SVG anchors.Cardwell added that he reported the security flaw “to Mozilla in November 2011 (26 months ago) and it was promptly acknowledged as a ‘moderate’ security problem by them. It has not been fixed yet.” If you try to check security bug 700979, you currently see “access denied,” but Cardwell included a link for when the bug details are unlocked.Since finding the flaw and waiting for the vulnerability to be patched, Cardwell has moved away from using Thunderbird. Instead, he suggested using the desktop email client Evolution. “It has built in PGP and Calendar support, without needing to use third-party addons, has a much faster UI than Thunderbird, and unlike Thunderbird is currently under heavy development. Oh, and it also has write support for LDAP-based address books (unlike Thunderbird).” If you are wondering why you should take Cardwell’s security advice about migrating away from Thunderbird to Evolution, then consider that, among other things, he’s discovered numerous security and privacy flaws, as well as contributing rulesets to HTTPS Everywhere.Like this? Here’s more posts:Top 25 most commonly used and worst passwords of 2013Bizarre gadgets at CES 2014 that monitor your every moveHow to customize Windows 8.1 Start screen and keyboard shortcut tricksCES 2014: New gadgets help kids spy on mom and programmable Mom spy on everyoneResearchers discover Spoiled Onions: Evil Tor exit relays spying on Facebook usersHackers give Microsoft a second black eye, vow to deliver digital dirt on spyingPrivacy researchers: Cell phone surveillance costs as little as 4 pennies an hourHow Microsoft had a hand in inventing Google’s glucose-sensing smart contact lensHow to change Windows 8.1 to local account with no Microsoft email account requiredNest owners: Did you drink the Google Kool-Aid or are you concerned about privacy?Obama ignored NSA subverting encryption in surveillance reform speechFollow me on Twitter @PrivacyFanatic Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe