Gmail's Newest Feature: Image Auto-display

If you haven't heard, Google is updating Gmail to automatically display images when an e-mail is clicked.

Echoing thoughts by our fellow security researchers, we see some uncomfortable risks accompanying the decision. From a malware perspective, images can be vectors of malicious execution (here's a recent one). Further, attack telemetry is a key currency in the threat creation industry. The more information attackers know about which accounts are active, which users are prone to click, and how successful a particular social engineering trick, the more success they will have targeting those users and ultimately the much bigger data exfiltration targets with whom they are affiliated. Attackers can now get that telemetry automatically when users click on their e-mails by inserting harmless images (at least initially) into their e-mail lures and then watching the traffic that comes back to their infrastructure.

We'll keep an eye on exploitation of this vector. In the meantime, consider disabling this feature if you've got a low appetite for additional security risk.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.

Learn more about Forcepoint

Gmail's Newest Feature: Image Auto-display

About Forcepoint

Sign up for the latest from our research and development team

To the Point Cybersecurity

X-Labs

Get insight, analysis & news straight to your inbox

You are here

About Forcepoint

Sign up for the latest from our research and development team