Mozilla Thunderbird Portable privacy issue [resolved]

Discuss anything related to portable freeware here.
Post Reply
Message
Author
User avatar
webfork
Posts: 8302
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Mozilla Thunderbird Portable privacy issue [resolved]

#1 Post by webfork » Mon Nov 15, 2010 3:04 pm

I noticed a privacy problem with a SeaMonkey test and Thunderbird (v3.1.6) appears to exhibit the same behavior (unsurprising since its based on the same code). It creates "HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\username@domain.com" in the registry. This is a privacy issue because if you're checking your email on a public terminal, you obviously don't want your email address left behind.

Oddly, I have multiple email addresses setup under my copy of Thunderbird and it seems to only list one of them. I guess it only stores the default address? I tried manually removing the registry entry and restarting and it came right back.

Can someone verify this is happening on more than just my machine? I have several plugins running that may be polluting my test results. I also have not checked to see if X-Thunderbird has this issue.


Setup/Software:
Last edited by webfork on Thu Apr 28, 2011 8:31 am, edited 3 times in total.
Reason: (minor edits for clarity/grammar)

User avatar
m^(2)
Posts: 890
Joined: Sat Mar 31, 2007 2:38 am
Location: Kce,PL
Contact:

Re: Mozilla Thunderbird Portable privacy issue

#2 Post by m^(2) » Mon Nov 15, 2010 9:48 pm

Not confirmed, XP x64.

User avatar
webfork
Posts: 8302
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Mozilla Thunderbird Portable privacy issue

#3 Post by webfork » Wed Nov 17, 2010 11:15 am

Tested on a clean WinXP install and it showed up. I guess its just a 32-bit issue.

fang-face
Posts: 41
Joined: Sat Aug 22, 2009 12:26 pm

Re: Mozilla Thunderbird Portable privacy issue

#4 Post by fang-face » Wed Nov 17, 2010 3:34 pm

i confirm that.
webfork wrote:Oddly, I have multiple email addresses setup under my copy of Thunderbird and it seems to only list one of them. I guess it only stores the default address? I tried manually removing the registry entry and restarting and it came right back.
Setup/Software: i also removed it and can confirm that it came back. it's only one address, even if i did not open the account the address belongs to.
under the mentioned key there is an entry "Application" with value " "D:\...\App\thunderbird\thunderbird.exe" -profile "D:\...\Data\profile" -mail ".

User avatar
webfork
Posts: 8302
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Mozilla Thunderbird Portable privacy issue

#5 Post by webfork » Wed Nov 17, 2010 4:41 pm

Thanks fang. I'll post a note on the entry.

fang-face
Posts: 41
Joined: Sat Aug 22, 2009 12:26 pm

Re: Mozilla Thunderbird Portable privacy issue

#6 Post by fang-face » Wed Nov 17, 2010 5:46 pm

maybe other versions don't have this issue.

User avatar
JohnTHaller
Posts: 619
Joined: Wed Feb 10, 2010 4:44 pm
Location: New York, NY
Contact:

Re: Mozilla Thunderbird Portable privacy issue

#7 Post by JohnTHaller » Wed Nov 17, 2010 6:46 pm

Current version should not have this issue. It was an old bug around some Windows versions not having the registry key already in existence (although it should exist) and the launcher not interpreting that properly. TBP 3.1.6 should not have this issue and has code specifically to test and correct for this case (see lines 398-402 and 435-436 in ThunderbirdPortable.nsi). TBP 2.0.0.24 is no longer supported so any bugs in it won't be addressed and should not be seen as confirmation of a bug in a current release.

If you are able to get the bug to re-appear with a current release, please post the steps you did to reproduce it and I'll go about trying to reproduce and address the specific condition.

In the meantime, I have updated the bug to detail the issue as it definitely does not occur on any PC where HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail already exists and doesn't appear to occur for most users where it doesn't. If there is a regression and it does occur on some versions of Windows, it would leave your account name there (which some users may inadvertently set to their email address).

Last I checked, this bug existed in all unlicensed versions of TB done portably but does not exist in ours. At least it didn't about 2 point releases ago. I'll check to see if there is a regression in that code and if there is, do a revision of both TBP and SMP tomorrow morning (NY time).

When this happened last time (quite a while ago as I recall), I wrote a utility to fix the counts and remove the additional entries in the registry and reset the mail counts:
http://johnhaller.com/jh/useful_stuff/r ... il_counts/

(it may give an error about not installing properly on Vista/7 but that error can be ignored)
PortableApps.com - The open standard for portable software | Support Net Neutrality

freakazoid
Posts: 936
Joined: Wed Jul 18, 2007 5:45 pm

Re: Mozilla Thunderbird Portable privacy issue

#8 Post by freakazoid » Wed Nov 17, 2010 9:43 pm

@johnhaller - I couldn't find TB portable 2.0.0.24 on the portableapps.com site. As judging from this thread - http://portableapps.com/node/23080 - some people (including me) would prefer to see it as well.
is it stealth? ;)

User avatar
SYSTEM
Posts: 1818
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: Mozilla Thunderbird Portable privacy issue

#9 Post by SYSTEM » Wed Nov 17, 2010 11:30 pm

freakazoid wrote:@johnhaller - I couldn't find TB portable 2.0.0.24 on the portableapps.com site. As judging from this thread - http://portableapps.com/node/23080 - some people (including me) would prefer to see it as well.
http://sourceforge.net/projects/portabl ... 02.0.0.24/ ;)
My YouTube channel | Release date of my 12th playlist: November 1, 2018

User avatar
JohnTHaller
Posts: 619
Joined: Wed Feb 10, 2010 4:44 pm
Location: New York, NY
Contact:

Re: Mozilla Thunderbird Portable privacy issue

#10 Post by JohnTHaller » Thu Nov 18, 2010 7:26 am

freakazoid wrote:@johnhaller - I couldn't find TB portable 2.0.0.24 on the portableapps.com site. As judging from this thread - http://portableapps.com/node/23080 - some people (including me) would prefer to see it as well.
You're welcome to grab it from SourceForge but you absolutely should not be using it anymore. Thunderbird 2.x has been discontinued and is no longer supported. With things like email clients and browsers, this is a HUGE deal as security issues won't be patched. So, all it takes is someone with your address to get infected and have their malware send an email to you that exploits a bug in an old email client and your PC is infected. Or one of the botnets to send it to you (and if you have ever gotten a single piece of spam, the spammers/scammers have your address).

I would highly suggest you either switch to a supported version or switch to another email client. You're at risk now (and putting every PC you use the client on at risk) and that will only get worse with time.
PortableApps.com - The open standard for portable software | Support Net Neutrality

User avatar
webfork
Posts: 8302
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Mozilla Thunderbird Portable privacy issue

#11 Post by webfork » Thu Nov 18, 2010 7:46 am

Here's a full bug report. I'm aware I should do this on the official site rather than here so I can move it if needed.

Setup: Clean copy of WinXP SP3 32-bit under VMware so I have the 'snapshots' feature I can go back to.

Steps:
  1. Start Settings Explorer and use its snapshot (not the same as the VMware one) feature to track the registry before and after
  2. Download and start up Thunderbird
  3. Setup an IMAP mail account (I don't actually download any mail but I can run that test if needed)
  4. Close the program
  5. Run snapshot again and compare
Defect: Email address present in registry

Workaround (if you don't know the Windows registry well, use with caution): Open regedit (may require admin privileges) and do a search for the email address. Right click the registry entry and delete.

If more detail is needed on any of these steps including logs, I can provide.
fang-face wrote:maybe other versions don't have this issue.
I added a note to that thread to sort of address this. Even if they don't, I'd probably rather stick with a more-official version for other reasons.

Edit: That's WinXP SP2, not SP3.
Last edited by webfork on Thu Jan 13, 2011 6:02 pm, edited 3 times in total.
Reason: (added workaround, fang response)

User avatar
JohnTHaller
Posts: 619
Joined: Wed Feb 10, 2010 4:44 pm
Location: New York, NY
Contact:

Re: Mozilla Thunderbird Portable privacy issue

#12 Post by JohnTHaller » Thu Dec 09, 2010 7:24 pm

I added an additional fix to the 3.1.7 release that makes doubly sure that this key is not left behind. It's been tested on clean-install PCs with no mail count that are missing this key (which seems to be a factor in the issue for some people). If you have left this key behind on any PC, I have a utility that fixes it from a while back here:
http://johnhaller.com/jh/useful_stuff/r ... il_counts/

The same patch was applied to SeaMonkey 2.0.11.
PortableApps.com - The open standard for portable software | Support Net Neutrality

Post Reply