Thunderbird is vulnerable to information disclosure. An attacker is able to intercepts Thunderbird’s initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and sends a crafted response, of which Thunderbird will responds with username and password over https to a server controlled by the attacker.