Sophos Cloud Optix
Do your shoulders feel lighter?
They should if you’re a Gmail user, since Google just lifted from users what one assumes must have been the heavy burden of having to choose whether to display images in email.
You were relieved of this choice as of Friday, when Google announced that Gmail users will now see images automatically.
Automatic image viewing for desktops was enabled on Friday, and we’ll see it on Android and iOS apps in early 2014.
Up until now, we’ve had to mull whether or not we want to view images because all sorts of security sliminess and privacy pitfalls can lurk behind them.
Clicking on images is like leaving whatever fortress you’re holed up in and venturing out into the wide, open, scary world of somebody else’s HTTP territory.
That’s because emailed images, though they might look like they’re part of the email, are normally hosted on a web server controlled by the email sender.
As far as privacy issues go, when you load the images, you not only get to see whatever pretty picture the sender wishes to bestow upon your eyeballs; you’re also sending a message about yourself (an HTTP request) to the email sender.
First off, by clicking on an image, you’re giving the sender any cookies you might have previously received from their website. You’re also giving them your IP address, which can provide a rough idea of your location, and your user-agent string which is a brief description of the browser and operating system you’re using.
Also, unless you’re using a browser or a browser add-on that blocks the action, the sender will also get an HTTP referrer: an HTTP header field that shows the URL of the page that you are on.
Perhaps more useful than all of those though, you’re giving email marketers and spammers confirmation that their email has been read and that your email address is ‘live’.
As Ars Technica’s Ron Amadeo points out:
It's even possible to uniquely identify each e-mail, so marketers can tell which e-mail address requested the images—they know that you've read the e-mail. And if it was spam, this will often earn you more spam since the spammers can tell you've read their last e-mail.
So if images are on by default then by the time you’ve looked at an email, determined it’s spam and hit the ‘junk’ button you’ve already told the spammers that you’ve opened the email.
But wait, there’s more: given that the images are hosted on remote, third-party servers, there’s even the possibility that images themselves can be rigged to exploit security vulnerabilities and inflict malware on the computer systems of those who click.
Google aims to curtail the risks of clicking on remotely hosted images by henceforth serving all images from its own, secure proxy servers.
It will be great – just great! says Google:
Your messages are more safe and secure, your images are checked for known viruses or malware, and you’ll never have to press that pesky “display images below” link again. With this new change, your email will now be safer, faster and more beautiful than ever.
With Google serving as the image middleman marketers, spammers and phishers should be starved of all that leaky HTTP stuff but will they still know who’s opened their emails?
Up until now marketers have been able to look at how many times their images have been loaded and use it to work out, at least roughly, how many times their emails actually got opened.
Now that Google’s putting itself between you and the marketers’ servers they will presumably be requesting each image just once from the original server and then caching it for the benefit of all Gmail users.
That ought to mess up marketers’ “open rates” and prevent confirmation that your email address is active, right? Nope, it won’t help matters at all.
As a Google spokesperson acknowledged when CNET asked, senders can simply use a unique image URL per recipient.
Instead of requesting one image from the sender and caching it, Google would have to ask for each unique URL. This ought to make email open-rate tracking even more accurate than it is now because, thanks to this update, every email that’s opened will automatically download images.
This is, in fact, the conclusion reached by security researchers including H.D. Moore and Robert Hansen.
Moore told CNET that the proxy servers will turn on default “read tracking” for all Gmail users, which bestows power on people we don’t necessarily want to empower:
This would allow a stalker or other malicious entity to determine whether the e-mail they sent to a target is being read.
The Google spokesperson pointed out that the proxy server helps protect the recipient’s IP address, geographic location, browser user agent, and “other identifying information.”
OK. But Google could have given their users all that good stuff without taking away their ability to choose whether they want to see images or not.
Luckily, Gmail users can disable automatic image viewing – here’s how:
- Open Gmail.
- Click the gear icon in the top right.
- Select Settings.
- Stay in the General tab.
- Scroll down to the Images section.
- Choose “Ask before displaying external images”.
- Click Save Changes at the bottom of the page.
The only way to do it right would be to load images for all messages. Even if they are addressed to nonexistent account. That way it would be made useless target users based on unique image URL as all messages sent wil receive exactly one hit.
You mean have the mail server retrieve the images and locally attach them to the email?
How smart would an email server have to be to arrange that properly?
And what about doing the HTTP GET for the image(s) in the first place? Will it understand the javascript behind it? The redirects? And it’s a great way to send an attack to a server just by sending an email and leveraging weaknesses in parses. Exchange’s OWA WebReady has been fighting just such issues in the last few years.
The solution is to put it in the hands of users. Unfortunately, ~95% of Google’s revenues come from advertising. And being public, Google cares more about profits than about its users (in a strict sense).
Yes, that was what I was suggesting, download all images in all messages. The attack you suggested is only mountable if messages will be custiomized. If you send messages with link to same image, then it will be downloaded only once and cached by google.
As you wrote there are still problems with this technique, but it doesn’t reveal user’s e-mail use.
Regarding javascript I think, that it is not possible in e-mails.
It’s trivial to have an infinite number of URLs lead to the same image. The point Lisa was making in the article was that mailers just need to use a different URL in each email and Google will have to retrieve all of them even though the image at the end of the URL is the same, which actually makes tracking more accurate that it is today.
To phoenix the post from the past:
Could Google leverage the tech behind their image search (it’s possible this is its genesis) to drastically reduce their storage requirements and still protect users now that serialized URL images are widespread? It’d naturally require a massive database dedicated to consolidating duplicate images.
Silly question. Of course they *could*. But by now, four years later… *do* they?
Title for me is “External content” rather than “Images”. The correct choice is “Ask before displaying external content”.
It’s “Ask before displaying external images” for me. Google sometimes A/B tests these things or rolls out changes in a phases so I wouldn’t be surprised if there are variations on a theme.
I have two Gmail accounts. The wording was different for each one I clicked on. Way to ensure your product is consistent across the line there, Googs!
Google often rolls out changes in batches, so one account may have been updated but not the other. They also do A/B testing with potential changes, showing one version to some accounts and another to different accounts, to see which works better.
This setting claims to be for trusted senders only, not everyone, so if this really is the case you may not want to turn this one off after all. (basically whenever you click the “Always show images from ….” link in GMail).
Okay, it looks like this change may be on gradual rollout. When logging on to GMail tonight I got a message clearly stating that images are defaulting to auto-loading with a link to settings where I could turn this feature off. Sure enough, it’s now labelled “Images” after the change, although Google do claim to be able to block beacons (unique images that tell whether or not you opened a message). The “Always show images from…” setting appears to still be intact though, and it looks like there’s a “Never show images from…” option if you have auto-loading enabled.
Trust no-one.
Lisa wrote: “Also, unless you’re using a browser or a browser add-on that blocks the action, the sender will also get an HTTP referrer: an HTTP header field that shows the URL of the page that you are on.”
Well, yeah, but in this case the referring page will always be http://gmail.com (or its international equivalent), hence a moot point. It merely lets the sender know that you reached his site via the email he sent and not through other navigation. No real privacy invasion from that slight bit of additional information.
Not just gmail.com – not always. We actually edited out part of the quote from ARS where they mention that referrer headers will include the name of any sub-folders that you filter your email into.
At that point you’re leaking information about your folder structure that you might reasonably assume is private.
And what if Gmail change the way they use their URLs tomorrow and start including other bits of private information? Will you or they remember at that point that the previously benign referrer now contains something you don’t want to leak and remember to take action? I wouldn’t count on it.
I agree it’s a long shot to imagine somebody making nefarious use of the referrer but the principle of least privilege says we shouldn’t have to.
“Will they remember at that point that the previously benign referrer…”
Judging by how frequently I’ve Googled a solution to a Google-service-based question only to find outdated documentation…
No.
With they way these companies are going it may be better to take the computer off line completely and forget about the internet until such time these idiot companies realise they will lose revenues. I personally have had enough of all the spying going on online. what with the NSA , GCHQ ,now Google want to know exactly what you are doing. When will it end.probably never and it comes down to greed.
I like how much effort you put into not reading the article.
Rarely use my gmail account. Tried going into it to reinstate privacy and discovered I can’t do it without now giving them my phone number. I already get enough spam calls on that without giving it away to a company that can’t be trusted to keep data safe from spammers. Mega #FAIL Google!!
The phone number is for 2-factor authentication. They’ve had 3 of my numbers for several years and not a single spam call from any source.
Google will know if an image is served to multiple users as it will see the same URL (with potentially different parameters) in multiple emails. It would be a simple process to check that the image to a specific parameter is the same as a random parameter, which means the served image is not parameter specific. That way, Google can retrieve the image without revealing user specific tracking (apart from the first user, but there would be ways around that).
That may not be the most sophisticated way of doing it, but Spam is a major problem, and I’m sure Google will be doing something clever to prevent it’s spread, and the tracking of it’s users.
It’s trivially easy to have radically different URLs lead to the same image – you don’t need to rely on a common URL with different parameters.
Dear Lisa, sorry this isnt spicy. Thank you for the clear explanation. Hasta la habanyero “_” kb
Images on by default, but ohhh it’s OK as Google are putting the images up. Sounds more like a marketing excercise for Google than actual help for its email users. Cynical? .. I think not. Google used to be OK but are god awful lately. For a while I thought there would be justifiable reasons for what they do, but with the street view Wi-Fi sniffing it became apparent Google just couldn’t give a fricken monkeys about what it does. As long as it makes money it’s fine. Tying Google mail to YouTube seriously annoyed me too. Once someone comes up with a YouTube clone to rival it without being tied I’ll leave YouTube and all things Google for good.
Google may think they are making money, but their antics of late will start driving users away the more clued up they get. I’m almost of the opinion of others that said it here of just unplugging everything and not bothering with the internet. You can hardly plug in your LG smart TV these days without someone ripping out data to make money advertising in your face.
As for advertisers, I’m with the late great Bill Hicks on that, and if you’ve not seen it, YouTube Bill Hicks on Advertsing and Marketing 😀
Sorry but I just tested my gmail account. I had already gone to settings and changed to “Ask before displaying external images”, so I sent myself an email from my Thunderbird mail with an image attached. It was showing as a preview when I opened it in gmail. I then sent a second email this time with the same image inserted into the email (not as an attachment). Opened in gmail and there it was displaying full size. So apparently choosing “Ask before displaying external images” is more Google crap.
Sorry my error in understanding, I just searched Google and found the following: “it may not be an external image – you can’t not show attached or inserted images in gmail”.
Some senders try to use externally linked images in harmful ways, but Gmail takes action to ensure that images are loaded safely. Gmail serves all images through Google’s image proxy servers and transcodes them before delivery to protect you in the following ways:
Senders can’t use image loading to get information like your IP address or location.
Senders can’t set or read cookies in your browser.
Gmail checks your images for known viruses or malware.
In some cases, senders may be able to know whether an individual has opened a message with unique image links. As always, Gmail scans every message for suspicious content and if Gmail considers a sender or message potentially suspicious, images won’t be displayed and you’ll be asked whether you want to see the images.
Im finding images attaching themselves to my outgoing mails without asking. I REALLY don’t want this. Is it malware of some sort