December 13, 2013

Gmail's Newest Feature: Image Auto-display

If you haven't heard, Google is updating Gmail to automatically display images when an e-mail is clicked.

Echoing thoughts by our fellow security researchers, we see some uncomfortable risks accompanying the decision.  From a malware perspective, images can be vectors of malicious execution (here's a recent one).  Further, attack telemetry is a key currency in the threat creation industry.  The more information attackers know about which accounts are active, which users are prone to click, and how successful a particular social engineering trick, the more success they will have targeting those users and ultimately the much bigger data exfiltration targets with whom they are affiliated.  Attackers can now get that telemetry automatically when users click on their e-mails by inserting harmless images (at least initially) into their e-mail lures and then watching the traffic that comes back to their infrastructure.

We'll keep an eye on exploitation of this vector.  In the meantime, consider disabling this feature if you've got a low appetite for additional security risk.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.