Incident Response, TDR, Vulnerability Management

New Gmail security feature may leave users more vulnerable, expert suggests

Google introduced image proxying to Gmail on Thursday to improve security and efficiency, but there is speculation that the feature may end up bringing more harm than good.

The feature – available now on desktops and in early 2014 on Gmail mobile apps – ultimately displays all images embedded within emails so that users are no longer required to hit the ‘display images below' prompt that many Gmail veterans have likely grown accustomed to clicking.

Google previously required users to click the ‘display images below' prompt because images displayed in messages were being hosted on original external servers. This means that an attacker could more easily compromise a user's computer or mobile device if, say, an embedded image were to contain malware.

Attacks like this should not be as easy anymore – at least not in Gmail. In a Thursday announcement, John Rae-Grant, a Google product manager, wrote that all images embedded in emails are now run through Google's secure proxy servers where communications are checked for viruses and malware.

Users who are set in their ways can continue to display images manually by going into their settings and clicking the “Ask before displaying external images” option under the ‘General' tab.

However, the new feature has not prompted unanimous support.

HD Moore, chief research officer at vulnerability management company Rapid7 and chief architect of the Metasploit Framework, told SCMagazine in a Monday email statement that he had drawn some conclusions after carrying out a few quick tests.

“If Gmail does start to display images automatically and this occurs only when a user views the message, it will enable “read tracking” by default for all Gmail users,” Moore wrote. “This would allow a stalker or other malicious entity to determine whether the email they sent to a target is being read.”

Moore added, “If Gmail starts to cache images as email is received and before the user reads the message, the tracking aspect will be resolved, but it does open the door to malicious request proxying in a much more aggressive form.”

There may be other implications, as well. “Any image URL in the email is now requested by Google's servers,” Moore wrote. “This may allow some malicious behaviors to be automated just by sending image-laden messages to dozens of random Gmail account holders. For example, some web application flaws can be exploited simply by requesting a URL.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.