Thunderbird Supernova next message after delete (security risk)
I recently upgraded Thunderbird to 115.3.1, and a horrible change took place. I browse messages in split view, rightclick-delete unwanted messages from the message list on top. The new version - unlike the pre-115 - automatically selects (and opens in bottom pane) the next message closest to the deleted one. Needless to say this is a huge security flaw. I never want to auto-select or auto-open an unknown message.
I am aware of the advanced "mail.delete_matches_sort_order" and the "close message window/tab on move or delete" switches, neither does anything useful anymore. I have an old, safe message at the top of my message list (sorted on oldest first), selected and opened while browsing the list, and in the previous version, even in the worst case it always kept viewing this safe message. But now it always switches selection to a neighbor (DOWN in the list) of the deleted message - but a neighbour of an unsafe message is usually another unsafe message regardless of sort type.
The only temporary workaround I see atm is leftclick-drag messages to trash, but this is also unsafe because of occassional doubleclick. Thunderbird cannot be used safely atm? Should this horrible change be filed as a bug report somewhere? Please help.
All Replies (2)
Just curious, what is the security issue with auto opening a message? To be clear you can not get some virus by opening a message, nor will any scripts contained in the message run. So what is the security risk to which you refer? BTW I am a refugee from Microsoft mail clients where the mantra about opening mails is very valid because you can have all sorts of nasty things happen from opening an email. None of which applies to Thunderbird, except as old wives tales.
If you look at changelogs (even thunderbird changelogs from less than a month ago), critical issues are fixed regularly, which would allow remote code execution just by displaying a single image or things like that. Remeber the nix vulnerability from a few years ago, where the os would straight execute shell commands it received in http requests's cookies or headers. There is no telling what will be in tomorrow's changelog.
Rightclick-deleting unsafe mails without selecting or opening them is probably the most important function of a mail client. Why take a risk without any potential gain?
Gewysig op