20070203

Annoying Gmail Flaw

Go to GMail. Look in your inbox. You get any of those newsletters with images in them? By default the images don't show. But as soon as you select "Print" the images show in the print preview. That's annoying.

Now, that might not seem like a big deal. But there's no reason why an image couldn't uniquely identify you. Or maybe the image is linked off another site, and executes an XSRF. And Print is between "Forward" and "Add so-and-so to Contacts". What if I meant to forward to a spam filtering service and fat-moused.

Sorry, Google. I've complained through the proper channels before, but no response yet.

I know, small, but still annoying to me. I don't want images displayed unless I explicitly ask to have them displayed.

3 comments:

  1. I completely agree, its one of the things that set Gmail apart from other email providers - that they seemed to take a proactive approach to security and did such things as blocking images, but it seems that they've been dropping the ball a bit lately, but for the moment I'll give them the benefit of the doubt, and hopefully they'll fix it.

    BTW, thanks for the heads up - its not likely I would have tried to print an untrusted email, but still; thanks.

    ReplyDelete
  2. That's what I thought was so odd about it - while it's not like other flaws haven't been found, they're usually quick to correct them. I sent word on this several months ago, but crickets....

    There's no way for me to prove this, but I"m BETTING they cache all images on their servers anyway, which would mean they have to request them anyhow. Your email might be validated before you ever open the email.

    ReplyDelete
  3. Of course there's a way to prove that - just send someone else (or even yourself) an email with an image of a hit counter or something you can check the logs for and see if you got more than one request.

    But I'd doubt that considering they have protections against you requesting the images, and I doubt its meant to be CSRF protection, so the only thing left to protect against is email locating 'attacks'.

    ReplyDelete