Google has tweaked Gmail so that users can now see images in-line with their emails, but the change could compromise the client's security according to some commentators.
Detailing the changes in a blog post, the search giant revealed that Gmail users will now automatically see images in-line with their emails, having previously been restricted to viewing photo attachments only after clicking the “display images below” button.
This was done to enforce security. Email attachments are often created in the same HTML mark-up language as is used to create web pages and, as such, there was the possibility that some personal information could be shared with third parties.
This was because the images were often located on third-party servers, and that viewing an image would serve up information like the browser you were using and the IP address.
Google now says that Gmail will host all images on its own secure proxy servers, meaning that there is less chance of personal data arriving in the hands of spammers, stalkers and internet marketers.
But despite the change, Rapid7 chief research officer and chief architect of Metasploit HD Moore said that he had found several flaws when testing the new functionality.
“If Gmail does start to display images automatically (which is their stated intent) and this occurs only when a user views the message, it will enable "read tracking" by default for all Gmail users,” said Moore in correspondence with SCMagazineUK.com.
“This would allow a stalker or other malicious entity to determine whether the email they sent to a target is being read.” He went on to add that it could also be susceptible to other malicious activity, like tracking whether a Gmail account is active or not.
The Silicon Valley firm says that any dissatisfied users can revert back to the old method by going through the settings menu, but adds that the change will come to the Gmail iOS and Android apps in early 2014.
Google has made some steady improvements to Gmail security in recent years. The company added two-step verification in 2011, and default https access and suspicious activity detention the year before.