A new Gmail policy that allows e-mailed image attachments to load automatically comes at a price, say two security researchers.
Google announced on Thursday that Gmail would once again load attached images by default. The feature had been disabled years ago, as a way of clamping down on malware and phishing attacks.
The news was accompanied by an explanation: Google proxy servers would host the images, thus preventing any malware they were hiding from surreptitiously showing up in the e-mail.
However, security researcher H.D. Moore determined that the proxy servers posed a tracking risk to e-mail recipients.
"If Gmail does start to display images automatically (which is their stated intent) and this occurs only when a user views the message, it will enable 'read tracking' by default for all Gmail users," Moore told CNET in an e-mail.
"This would allow a stalker or other malicious entity to determine whether the e-mail they sent to a target is being read," he said.
It has other implications, as well. Because any image URLs in the e-mail are requested by Google's servers, it may allow some malicious behavior to be automated by sending e-mail filled with images to Gmail accounts at random. This is problematic, Moore said, because flaws exist in Web applications that can be exploited by doing nothing more than requesting a URL.
A Google spokesperson acknowledged that with e-mailed proxy images, the sender could use a unique URL per recipient to determine whether an e-mail had been opened. However, the spokesperson pointed out that the proxy server helps protect the recipient's IP address, geographic location, browser user agent, and "other identifying information."
Robert Hansen, a browser specialist and technical evangelist at the security firm WhiteHat Security, agreed with Moore's assessment.
--H.D. Moore, security researcher
"This actually does make sense in a way because it allows Google to speed up Gmail by sourcing images locally as opposed to remote images that can cause page-load issues. Most people don't think about e-mail as being Web pages and having remote calls," he said.
Moore pointed to how it can make it easier for some attacks to get through.
"Granted, this is no different than viewing a Web page or displaying images manually, but due to the 'automatic' loading of the image URL, it becomes a much more practical attack," Moore said.
Another problem caused by the proxy servers is that it is now possible to figure out which e-mail accounts are active simply by sending them an e-mail with images that can have tracking code embedded.
"If you want to know whether an account is actively used or dormant, this is now a simple test," he said.
Google could avoid the tracking problems, Moore said, if it caches images as the e-mail is received but before the Gmail account owner reads the message. However, that solution then would let malicious request proxying to occur more aggressively, potentially allowing Google-sourced distributed-denial-of-service (DDoS) attacks.
WhiteHat Security's Hansen agreed that Google has backed itself into a position somewhere between a rock and a hard place.
"The tracking issue may or may not be a real issue, depending on the implementation, but either way this is a dangerous decision," he said. "It either helps remote tracking of users, or it helps distributed-denial-of-service attacks."
Google's take is two-fold. First, the company argues that the only information an e-mail sender could glean from the proxy hosting of images is that an account is active, far less than when users had to click on "show images." Second, for users who don't like the proxy hosting, there is an option in Gmail settings to revert to the older behavior of image loading on a per-message basis.
Hansen remained skeptical, though, noting that Google has been not exactly been a strong consumer privacy advocate in the past. "This also could also pave the way to an additional anti-privacy business model, where Google selectively turns images on for certain partners who pay them for tracking," he said.