CVE-2005-3402

An attacker on the network path can perform a man-in-the-middle (MITM) attack that either bypasses TLS authentication or downgrades CRAM-MD5 authentication to plain authentication [ref_id=1]. Because Thunderbird does not notify the user when it cannot establish a secure channel with the SMTP server, the attacker can intercept the plaintext password without detection. The attack requires the attacker to be positioned between the victim's client and the SMTP server, and the victim's Thunderbird must be configured to use "No" or "TLS, if available" for the connection security setting [ref_id=1].

The SMTP client in Mozilla Thunderbird 1.0.5 BETA, 1.0.7, and possibly other versions, does not notify users when it cannot establish a secure channel with the server. The bug report [ref_id=1] identifies the core issue as the fallback behavior in the SMTP authentication logic: if secure authentication (e.g., CRAM-MD5) fails, the client silently falls back to insecure LOGIN or PLAIN methods, sending the plaintext password over the wire.

The fix, tracked in Bugzilla [ref_id=1], changes SMTP authentication behavior to match that of POP and IMAP: the client will only try secure authentication if the user has explicitly chosen it via a new "useSecAuth" preference (replacing the old "trySecAuth" hidden pref). A later patch (v3 with autoprobe) adds auto-probing so that on new server setup the client tries secure auth first and, if it succeeds, automatically sets the pref to use secure auth; if it fails, it silently falls back without exposing the password. The patch also moves the authentication-method check into ProcessAuth() to correctly evaluate available methods after STARTTLS has been established [ref_id=1].