Thunderbird Decryption Oracle

I recently disclosed several security and privacy vulnerabilities in Thunderbird. At worst these vulnerabilities can by exploited by an adversary with access to a collection of intercepted encrypted messages to trick Thunderbird into decrypting any given message and sending the resulting plaintext back to the adversary. This attack worked with Thunderbird default configuration, i.e. even when load remote resources are disabled

• CVE-2022-3033 - Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
• CVE-2022-3032 - Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked
• CVE-2022-45412 - Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote contentA
• PoC Writeup

• log sec-research crypto-research privacy-research