Potential data leak on Resend (bounce)

[Clax92]

I think we found a bug that can cause a data leak using "Resend (bounce)" function in Roundcube. This bug was reported to us by our customer.

To recreate this bug we need to create a group of contacts with few addresses and send a message adding this group to BCC (f.e. group 1 (in my case it was [email protected], [email protected])).
Then we go to the "Sent" folder and select our message and by using function "Resend (bounce)" we send message to another few BCC address (group 2 (in my case it was [email protected], [email protected])).

Then everyone from group 2 can see group 1 address.

Headers of received message: (as you can see BCC is visible)

Return-path: [email protected]
Envelope-to: [email protected]
Resent-From: [email protected]
Resent-To: undisclosed-recipients:;
Resent-Date: Wed, 07 Apr 2021 20:33:21 +0200
Resent-Message-ID: [email protected]
MIME-Version: 1.0
Date: Wed, 07 Apr 2021 20:33:03 +0200
From: [email protected]
To: undisclosed-recipients:;
Bcc: gds fdsf [email protected], [email protected]
Subject: test ostatni
User-Agent: Roundcube Webmail/1.4.11
Message-ID: [email protected]
X-Sender: [email protected]
X-Authenticated-Id: [email protected]

This problem exists only when we used Exim as a send/receive server. Postfix seems to remove old BCC header.

Return-Path: [email protected]
Delivered-To: [email protected]
Resent-From: [email protected]
Resent-To: undisclosed-recipients:;
Resent-Date: Wed, 07 Apr 2021 20:33:21 +0200
Resent-Message-ID: [email protected]
MIME-Version: 1.0
Date: Wed, 07 Apr 2021 20:33:03 +0200
From: [email protected]
To: undisclosed-recipients:;
Subject: test ostatni
User-Agent: Roundcube Webmail/1.4.11
Message-ID: [email protected]
X-Sender: [email protected]
X-Authenticated-Id: [email protected]

P.S. in gmail BCC addresses are also visible.

Regards

[alecpl]

The bounce feature is not supposed to touch the original message headers, but maybe we should get rid of Bcc, indeed.

As a workaround you can just use "Edit as new" feature.

[Clax92]

Also if I resend previously resent message then all addresses will be visible under Resent-Bcc header.
Do you think we should remove Bcc and Resent-Bcc header via our MTA?

[alecpl]

I've discussed this with my colleagues. Here's what we end up with:

• Bounce != "Edit as new and Send"
• Bcc also leaks when using Forward as attachment
• It was suggested to get rid of the feature as it's confusing
• Even though it's in the Forward menu some users will use it as "Try again"
• There's no leak when using postfix, indeed.

My take is this: We do not get rid nor change the behavior, but we display a warning whenever the bounced message contains Bcc or Resent-Bcc. Maybe the message should also contain "Hey! This is not 'Try again', you're sending the original message untouched". We may consider displaying a warning also for forward as attachment case.

@thomascube do you have an opinion about this?

[alecpl]

Another not perfect solution could be disabling the feature on messages in the Sent folder, but I decided against it.

Fixed by adding warnings.