Google’s decision to automatically display images in Gmail messages exposes users to read-tracking and has other privacy and security consequences.

Google’s decision to automatically display images in Gmail messages has security experts on edge about the privacy and security implications of the move. Of particular concern is the ability of an attacker, or marketer, to learn whether messages are being opened, as well the possibility of an attacker spiking an image URL with additional attacks that could lead to denial of service conditions or worse.

“Any image URL in the email is now requested by Google’s servers. This may allow some malicious behaviors to be automated just sending image-laden messages to dozens of random Gmail account holders,” said HD Moore, CSO at Rapid7 and creator of the Metasploit Framework, in email to Threatpost. “For example, some Web application flaws can be exploited simply by requesting a URL. Granted, this is no different than viewing a webpage or displaying images manually, but due to the automatic’ loading of the image URL, it becomes a much more practical attack.”

Google product manager John Rae-Grant said yesterday that Gmail will serve images through its proxy servers, which will scan image files for malware before they’re displayed on the user’s end.

“You’ll never have to press that pesky ‘display images below’ link again, Rae-Grant said. “Similar to existing features like default https access, suspicious activity detection, and free two-step verification, image proxying is another way your email is protected.”

While images may arrive free of malware, experts caution there are privacy implications to consider too that could threaten personal safety as well as invite unwanted product marketing.

“There are two ways this could be used by malicious actors depending on how it is architected. First, it can be used to track users more effectively, because images are always enabled,” said Robert Hansen, Director of Product Management for WhiteHat Security. “However, if the images are pulled instantly, as opposed to pulled when the user opens the email, it opens up the possibility of mass denial of service attacks by Google if a spammer sends enough email to his victims with unique URLs that Google must go and fetch.”

Moore said Google could solve the tracking problem if Gmail were to cache images as email is received before the user reads the message. But there’s a hitch there too.

“It does open the door to malicious request proxying in a much more aggressive form,” Moore said. “There would be ways to avoid or mitigate these issues (request limiting, etc), but it would create additional work for Google.”

Moore said he tested the issue by sending a HTML email to his Gmail account that included an <img> tag pointing to one of his Web servers. Moore said the image was proxied through Google’s servers, and every time he opened the email and clicked “Display Image,” Google would send a new request to the web server.

“Google has stated that they will be caching images as well, but that doesn’t seem to the case right now,” Moore said. “Caching would prevent the same image from being loaded more than once, but it doesn’t prevent tracking techniques that use unique images per target.”

Moore added that when Gmail starts displaying images automatically—Google said the move is immediate on the desktop and expected to roll out early 2014 on mobile apps—read-tracking would be enabled by default.

“This would allow a stalker or other malicious entity to determine whether the email they sent to a target is being read,” Moore said.

Google’s decision, he said, also makes it possible to enumerate active email accounts by sending email with tracking images, a simple test to determine whether accounts are dormant.

Hansen argues that the user benefits little from the decision other than perhaps Gmail messages loading faster and that the user’s IP address is not sent to the remote server. But like Moore, he speculates about Google’s motive.

“This could actually just be the opening act of an additional privacy-destroying business model, where Google charges bulk email advertisers for information about email open rates,” he said.

Google has provided instruction on how to change the default setting here and have Gmail ask before displaying images.