Recently Google announced that it had changed its policy dealing with images in email. In a blog post on the official Gmail blog, Google said:
You’ll soon see all images displayed in your messages automatically across desktop, iOS and Android. Instead of serving images directly from their original external host servers, Gmail will now serve all images through Google’s own secure proxy servers.
Simply put, this means that all pictures in emails will now be automatically displayed. Instead of being served directly from the site hosting the image, however, they will be given a copy that has been scanned by Google.
Officially, the stated rationale for this change is that previously, senders “might try to use images to compromise the security of your computer”, and that with the change images will be “checked for known viruses or malware”. This change affects users who access Gmail via their browser, or the official iOS and Android apps.
In the past, there have been occasions where malicious images were used to compromise computers. A number of image formats were exploited in 2005 and 2006, including a Windows Metafile vulnerability (MS06-001), and an Office vulnerability that allowed arbitrary code execution (MS06-039). More recently, a vulnerability in how TIFF files were handled (MS13-096) was found and not patched until the December Patch Tuesday cycle. Properly implemented, scanning the images would be able to prevent these attacks from affecting users.
However, actual exploitation of these vulnerabilities has been relatively uncommon. Exploit kits have opted to target vulnerabilities in Flash, Internet Explorer, Java, and Reader instead. Image vulnerabilities are not even listed in the control panels of these kits.
The primary reason to block images is not to block malware, but to stop information leakage. Images are used by spammers and attackers to track if/when email has been read and to identify the browser environment of the user. Email marketers also use this technique to check how effective their email campaigns are.
Email marketers have already confirmed that in spite of Google’s moves, email tracking is still very possible. Google’s proposed solution (a web proxy that checks images for malware images) appears to solve a small security problem (malicious image files), while leaving at risk user’s security and privacy. Attackers still have the capability to track that users have read email–and to learn aspects of their browser environment.
Users can still revert to the previous behavior via their Gmail settings, as outlined in Google’s blog post:
Of course, those who prefer to authorize image display on a per message basis can choose the option “Ask before displaying external images” under the General tab in Settings. That option will also be the default for users who previously selected “Ask before displaying external content”.
We strongly recommend that users change this setting for their accounts. Users who access Gmail via POP3 or IMAP should check the settings of their mail application to control the display of images.