Security implications of Google’s decision to display images in Gmail by default
This Thursday, Google announced that it will, once again, be displaying attached images in emails sent to Gmail users by default.
Years back, Google decided to stop doing just that because it was trying to hinder the efforts of phishers and malware peddlers, as well as to prevent senders from discovering information about users’ systems and their IP address.
But the big change is that the images will now be served through Google’s own secure proxy servers and not their original external host servers, allowing Google to check every image before displaying it, and block those that contain known malware. The request going through Google’s proxy servers will also prevent the aforementioned information grab.
“There’s also a bonus side effect for Google: e-mail marketing is advertising. Google exists because of advertising dollars, but they don’t do e-mail marketing. They’ve just made a competitive form of advertising much less appealing and informative to advertisers,” notes Ars Technica’s Ron Amadeo. “No doubt Google hopes this move pushes marketers to spend less on e-mail and more on Adsense.”
On the other hand, marketers and other, more malicious senders can’t be completely unsatisfied, as this new state of affairs allows them to see when the email was opened and how often.
HD Moore, Chief Research Officer at Rapid7, has analyzed what happens when a sender sends an email with an image and the Gmail-using recipient opens it. He discovered that Google servers request the image the first and often each consecutive time the email is viewed.
“That means for the first time in years, Gmail by default will allow senders who embed a unique image address in each message they send to know which ones are ignored, which ones are opened, and how many times they are viewed,” Dan Goodin points out.
Email marketing service provider MailChimp confirmed Moore’s discoveries and welcomed the change.
“You may know this already, but along with most ESPs, MailChimp tracks opens by placing a tiny, single-pixel-sized image in each email. When someone views images in the email, our image-hosting servers get a request for the pixel-sized pic, and we use that request to track opens for each subscriber,” they shared.
“Using cached images is a fine idea for Gmail, but it has the potential to mess with open tracking for ESPs. Fortunately, MailChimp can still detect the first request for the open-tracking pixel,” they noted, adding that their customers will now have a more accurate view on how many subscribers have actually read the email.
HD Moore pointed out other potential security flaws of the new default setup. Firstly, malicious attackers can now easily check whether an email account is actively being used and therefore makes for a viable target for email attacks.
Secondly, stalkers and similar threatening individuals can see if their emails have been read by their victim.
Users can (luckily) set Gmail accounts settings to make images not load automatically (Settings > General > “Ask before displaying external images”).
“That option will also be the default for users who previously selected “Ask before displaying external content’,” Google noted in Thursday’s announcement.