------------------------------------------------------------------------ Subject: Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities From: Steve Shockley <steve.shockley@xxxxxxxxxxxx> Date: Tue, 28 Feb 2006 18:57:57 -0500 To: Renaud Lifchitz <r.lifchitz@xxxxxxxxxxxx> CC:full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, security@xxxxxxxxxxxRenaud Lifchitz wrote:Mozilla Thunderbird : Multiple Information Disclosure VulnerabilitiesThe css part of this "exploit" is actively used by Intellicontact (or whatever they call themselves this week), the host of the factcheck.org mailing list. For example:<LINK href=http://mail1.icptrack.com/track/relay.php?r=###&msgid==###&act=####&admin=0&destination=http://www.factcheck.org/styles/subpage_nn.css type=text/css rel=stylesheet>
<snip>
Reference: http://www.bucksch.com/1/projects/mozilla/108153/
Steve et al.,I'm most reminded of the adage 'never attribute to malice what can adequately be explained by a dumb regex [sic]'.
We here at IntelliContact had no idea that our software was applying the tracking we provide to our customers onto CSS references, much less that Thunderbird loaded these links regardless of general-user accessible security settings. The tracking information we put in emails is part of the value we provide to our customers (since our inception, always under the name of IntelliContact), but had/have no intention of exploiting security problems such as this to gain such information on their behalf. The foundation of our product is to facilitate communication between our customers and willing recipients (http://www.intellicontact.com/terms/anti-spam.php).
I've filed the issue mentioned above as a bug with my team and we'll get it fixed as soon as possible. I laud your attention to detail with this discovery and invite anyone with further concerns to contact me directly.
Thanks -- David C. Rasch, CTO Broadwick Corporation (919) 968-3996