This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Big security concen by using thunderbird email client

Hi Team,

We just found a flaw in Thunderbird where any user can send an email to anyone using name/identity of anyone.

Steps:-

1. Navigate to Accounts Settings. 2. Change your Name to Any Name(say my subordinate name) 3. Change Email address to any email address(say my subordinate name) 4. Save the changes and send any email.

Now email will be sent 'from' Subordinate email address to anyone Hence A person can send email to B person from C person identity.

Please look into this and find any solution so that any misuse of others email id can be avoided.

Thanks, Amar

Hi Team, We just found a flaw in Thunderbird where any user can send an email to anyone using name/identity of anyone. Steps:- 1. Navigate to Accounts Settings. 2. Change your Name to Any Name(say my subordinate name) 3. Change Email address to any email address(say my subordinate name) 4. Save the changes and send any email. Now email will be sent 'from' Subordinate email address to anyone Hence A person can send email to B person from C person identity. Please look into this and find any solution so that any misuse of others email id can be avoided. Thanks, Amar

All Replies (2)

I doubt it would be that simple. In any case, you can avoid such a scenario by using different Windows user accounts for different people using the same computer.

Hi Amar, how would you suggest that Thunderbird verify the "true" email address of the sender?

For example, Thunderbird might prohibit the "from" name/address to be different from the account login credentials. However, there are people who receive and send email for multiple identities (aliases) with a single account, and this would create a problem for those users.

I think if this is a major concern for your organization, you should try to enforce it on the server side. For example, the SMTP server software might be configured to reject messages where the from name/address do not match the account login credentials, or it might rewrite them to the from name/address of the account so that forging is impossible. I don't know which mail servers can do this.


Also, if you are concerned about security, it's very strange that your browser identified itself to the forum as Firefox 18. Is that correct?!

Version 18 is not secure; Mozilla discloses security flaws after each new release. If something is holding you back from upgrading to Firefox 40 (or for ESR users, 38.2), please start a new question so we can suggest solutions or workarounds: https://support.mozilla.org/questions/new/desktop (scroll down past suggested articles if they are not relevant to continue submitting your question)

If Help > About Firefox shows Firefox 40.0.2, you may need to clear the preference that is misreporting your version number. See: How to reset the default user agent on Firefox.