As Thunderbird gears up for the 2026 launch of its privacy-focused “Pro” suite, the team has completed a comprehensive security audit of Thunderbird Send, a large-file sharing service that offers end-to-end encryption.
The audit, conducted in collaboration with 7ASecurity and the Open Source Technology Improvement Fund (OSTIF), uncovered and addressed two significant vulnerabilities and delivered over 20 additional hardening recommendations.
The security review was performed as a whitebox audit, meaning the auditors had complete access to Thunderbird Send's systems, source code, infrastructure, and documentation. Over the course of April and May 2025, a five-member team from 7ASecurity tested the application across four work packages: web/API endpoints, cloud infrastructure, threat modeling, and supply chain integrity.
Thunderbird Send builds upon the discontinued Firefox Send codebase, but its architecture has since been significantly overhauled. Now managed by MZLA Technologies Corporation, the service will be included in Thunderbird Pro, an upcoming suite of privacy-centric productivity tools.
Two key vulnerabilities were highlighted in the audit:
A critical unauthenticated denial-of-service (DoS) vulnerability allowed attackers to overwrite backup data for any user, effectively breaking the user's encryption keys and rendering files inaccessible. This was possible due to a lack of authentication on the /api/users//backup endpoint.
A high-severity data exposure flaw caused by insecure direct object references (IDOR) allowed unauthenticated actors to access user containers, shared folders, conversation metadata, and cryptographic materials by simply iterating over user IDs.
Both of these issues were discovered and responsibly disclosed by the 7ASecurity team and subsequently patched by Thunderbird in April 2025, ahead of the audit's public release. The fixes included implementing proper JWT-based authentication and stricter access controls at the API level.
In total, 22 findings were recorded, including a mix of hardening opportunities and medium-to-high-risk misconfigurations. Noteworthy issues included:
- Secrets exposed in cloud resources, such as EC2 UserData scripts and ECS task definitions.
- Lack of separation in cloud workloads, where development, staging, and production services shared the same AWS account.
- Publicly exposed S3 buckets and databases, increasing the risk of data leaks and misuse.
- Absence of critical HTTP headers and CSP configurations, which could leave the web app vulnerable to XSS or clickjacking attacks.
Though most of these findings were resolved before the report was finalized, Thunderbird acknowledged that some fixes, particularly around infrastructure isolation, would require longer-term architectural changes. The report notes that Thunderbird Pro services currently operate under a single AWS account, a setup slated for segmentation as the ecosystem matures.
The auditors also evaluated Thunderbird Send's adherence to modern supply chain security practices using the SLSA (Supply-chain Levels for Software Artifacts) framework. While the current implementation partially aligns with the SLSA v1.0 model, full build attestations are expected to be added in 2026.
Leave a Reply