Google Will Soon Show Email Images By Default In Gmail Without Compromising Your Security And Privac


Recommended Posts

You probably see that "Display images below" button in Gmail all the time on both mobile and desktop. This is the default behavior because it makes it harder for spammers and advertisers to track you. However, Google says it has prepared a workaround that mitigates the security concern and will allow it to show those images by default.

 

When you get an email containing images, the files are loaded from an external host server. Each time you download the images in an email, the sender (read: spammer) can use that to track you. They know firstly that you are a real person and not a broken inbox, but it can also give them an IP address. Google is circumventing this by opening each image in the email, then serving it to you from its proxy servers instead of an external one. This instantly renders image loading data useless to spammers, and makes it safe to show you all your email pics by default.

 

Google is also going to be scanning for malicious content hidden in images at the same time. So consider this a double win. If you don't like awesome things, you can set Gmail to go back to the old behavior of hiding images by default.

 

Source: Android Police

Link to comment
Share on other sites

only works if they open all the images sent to non-existent addresses too

Yeah, it wouldn't necessarily stop them from verifying you're a valid inbox if the image links are unique per email and Google opens them for you elsewhere, they were still opened showing you viewed the email, but at least you wouldn't be directly connecting to their server to get the images and exposing your IP to them. This seems like it'd only help half the issue unless you're right and they go ahead and cache all images even ones that weren't opened, which I can't see them doing.

Link to comment
Share on other sites

But doesn't that tell spammers that ALL email addresses they're sending to are valid, and promote more spam?

 

I don't mind the idea - but I'm not confident it will "solve" a problem...

Link to comment
Share on other sites

But doesn't that tell spammers that ALL email addresses they're sending to are valid, and promote more spam?

 

I don't mind the idea - but I'm not confident it will "solve" a problem...

 

yea, it'll temporarily increase the spam for everybody until the spammers catch on

 

Yeah, it wouldn't necessarily stop them from verifying you're a valid inbox if the image links are unique per email and Google opens them for you elsewhere, they were still opened showing you viewed the email, but at least you wouldn't be directly connecting to their server to get the images and exposing your IP to them. This seems like it'd only help half the issue unless you're right and they go ahead and cache all images even ones that weren't opened, which I can't see them doing.

 

they don't have to save anything, just download it directly to dev/null for all they care. but i still doubt they'd waste the bandwidth on that

Link to comment
Share on other sites

Google is circumventing this by opening each image in the email, then serving it to you from its proxy servers instead of an external one.

 

Nice!  So is this only when viewing on the website, or will Google replace images received via IMAP (or w/e) with links to their proxy server?

Link to comment
Share on other sites

But doesn't that tell spammers that ALL email addresses they're sending to are valid, and promote more spam?

 

According this article, no: Google caches the image the first time it's opened and serves it from the proxy for every subsequent image request until the TTL expires.

Senders would only get a request for one single image ID for the duration of the TTL.

 

Nice!  So is this only when viewing on the website, or will Google replace images received via IMAP (or w/e) with links to their proxy server?

 

I guess it'll work for every image that's not attached but linked. If they are modifying the body of the mail in their servers to replace the links I don't think it would matter how you get to read them, web, IMAP or whatever.

 

*edit: I'll have to take that back: apparently the link replacement happens at render time on Gmail's web and mobile apps. The actual mail is not modified so you'd still go straight to the original image if you were getting your mail through IMAP.

At least that's how it seems to be working as of now.

Link to comment
Share on other sites

According this article, no: Google caches the image the first time it's opened and serves it from the proxy for every subsequent image request until the TTL expires.

Senders would only get a request for one single image ID for the duration of the TTL.

 

 

I guess it'll work for every image that's not attached but linked. If they are modifying the body of the mail in their servers to replace the links I don't think it would matter how you get to read them, web, IMAP or whatever.

 

*edit: I'll have to take that back: apparently the link replacement happens at render time on Gmail's web and mobile apps. The actual mail is not modified so you'd still go straight to the original image if you were getting your mail through IMAP.

At least that's how it seems to be working as of now.

 

so the spammer just makes the TTL 1 second?

Link to comment
Share on other sites

This instantly renders image loading data useless to spammers, and makes it safe to show you all your email pics by default

er, no.

Doing so only makes the spammer got the wrong IP-addresses,

but they still able to figure out if that inbox was still useable,

be the inbox are actively used or suffering a long inactivity,

which is depend on how the proxies retrieves the image from original spammer host

are they retrieved when user open their inbox? or when the gmail receives the spam?.

I have seen spammers using long-unique-hash in the image url, which then they could links which hashes was sent to which inboxes,

and which images/hashes was requested for download.

  • Like 2
Link to comment
Share on other sites

so the spammer just makes the TTL 1 second?

If the point was hidding the client's access to images they could just not honor that TTL, although Gmail's blog seems to point that that might be a potential side effect rather than an actual feature.

What the are talking about is hiding user data (IP, user agent, geolocation), avoiding tracking (no way to set cookies on the user's browser) and making images safer (images are analyzed for known exploits and transcoded before sending them to the user).

Link to comment
Share on other sites

Time to go back to Hotmail or even better, pay for hosted exchange.

Google and its nosy tech Nazi approach of "I know what's best for you"

 

So I'm guessing you don't know what this is.

  • Like 2
Link to comment
Share on other sites

On the face of it this sounds really good, but I think it will only affect legitimate email campaigns in the long run. Spammers will be unaffected at best and, depending on how it works, could even use it to identify registered Gmail addresses en-masse.

The cynic in me wonders how long it is before Google start selling "email analytics" to those who run email campaigns.

Link to comment
Share on other sites

Time to go back to Hotmail or even better, pay for hosted exchange.

Google and its nosy tech Nazi approach of "I know what's best for you"

 

Yea, to bad you cannot disable this option....no, wait.....

Link to comment
Share on other sites

Google's proxy servers request the image each time you open a message which means that spammers will know that your email address is active if they embed unique images in emails. 

 

From Google's support page:

 

 

...senders may be able to know whether an individual has opened a message with unique image links.

 

If anything, this will lead to more spam.

Link to comment
Share on other sites

If anything, this will lead to more spam.

 

Google is great about blocking spam.  I never get any spam in my INBOX and it all goes to the spam folder....so I never see it.  Cannot say that for Yahoo email and I dont really use my Outlook account ATM.

Link to comment
Share on other sites

On the face of it this sounds really good, but I think it will only affect legitimate email campaigns in the long run. Spammers will be unaffected at best and, depending on how it works, could even use it to identify registered Gmail addresses en-masse.

The cynic in me wonders how long it is before Google start selling "email analytics" to those who run email campaigns.

what? how?

 

They wouldn't have to open all of them, just some of them at random.

that's true, although the exact percentage of opened vs. unopened would have to be worked out so it's a non-negligible amount compared to legitimately opened mail. I suspect that would still account for quite a large volume of traffic.

 

Google's proxy servers request the image each time you open a message which means that spammers will know that your email address is active if they embed unique images in emails. 

 

From Google's support page:

 

 

If anything, this will lead to more spam.

 

i guess that means they don't open anything sent to nonexistent addresses.

Link to comment
Share on other sites

From what people are seeing, Google downloads the images when they receive the email (Maybe for non-existent addresses? not sure), and for some users they re-download the images every time the email is opened (Which makes the whole thing useless)

The one upside is that the marketers don't see the source IP/UA info, but they can still detect valid/invalid accounts, and when a user opens the mail.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.