Gmail starts scanning images in emails for malware

Graham Cluley
Graham Cluley
@[email protected]

Google has announced an interesting change in the way that Gmail handles images in the messages you receive.

Up until now, Gmail has not automatically shown you images contained inside received emails, until you say that you’re happy for them to be shown.

Images not displayed in Gmail

This has been something of a pain for internet marketers sending out email newsletters, as it means they need you to approve them as a trusted sender before you’ll get to automatically see their beautifully formed HTML in all its glory, complete with its fancy inline images.

Sign up to our free newsletter.
Security news, advice, and tips.

And it’s been an irritation for some Gmail users too, who were frustrated by having to click to “display images below”.

GmailHowever, the reasoning for Google to have this functionality in Gmail in the first place was a sound one.

When you open an email created using the same HTML markup language used to create webpages, you can be sharing a ton of information with third parties.

That’s because the emails could contain inline images loaded from third-party servers.

And each time an image is fetched from the remote third-party server where it is hosted, you are revealing information about yourself – such as your choice of browser, your IP address (which might in turn reveal your location), and so forth.

Furthermore, people and companies can track if you have opened and read the message they have sent you, by checking their server logs to see if a particular image (known as a web beacon) inside the email has been viewed.

Furthermore, the images themselves, hosted on remote third-party servers, could be deliberately malformed to exploit security vulnerabilities and (potentially) infect your computer with malware.

Google says that from now on the web version of Gmail will display images inside emails automatically. The same functionality will come to the official Gmail apps for iOS and Android shortly.

Changes to images in Gmail

Furthermore, to protect against potential security issues, Google says that Gmail will serve all images through its own proxy servers, having checked them for known malware.

Of course, this does mean that Google is *changing* the content of your emails. Changing links which used to grab images from third-party servers and now getting them from their own proxy servers instead.

In short, you should no longer have to worry about spammers, stalkers and internet marketers finding out where you might be in the world by embedding a tiny graphic in their email.

However, Google warns that it may still be possible for senders to know if you have opened an email, if unique image links are used.

Check out the paragraph lurking at the bottom of Google’s knowledgebase article:

In some cases, senders may be able to know whether an individual has opened a message with unique image links. As always, Gmail scans every message for suspicious content and if Gmail considers a sender or message potentially suspicious, images won’t be displayed and you’ll be asked whether you want to see the images.

At least publicly, the email service providers used by businesses regularly sending out communications to their customers are putting on a brave face. They may find it harder to collect some data on the success of email campaigns, but at least their emails will now be viewable as intended in all of their graphic glory.

Take, for instance, what the guys at MailChimp had to say:

In Gmail’s announcement today, they said image caching allows them to securely turn on images by default. Image caching still lowers our ability to track repeat opens, but turning those images on means we’ll be more accurate when tracking unique opens. At least, theoretically it should work that way.

By leaving images turned off, Gmail has been allowing subscribers to open emails without downloading our tracking pixel, so those opens were invisible to us. If Gmail is going to display images automatically, those previously invisible opens should suddenly become visible.

If you don’t like Gmail enabling inline images by default, the good news is that you can disable this new functionality easily enough.

Here is how:

  1. Open Gmail.
  2. Click the gear icon in the top right.
  3. Select Settings.
  4. Scroll down to the Images section (stay in the “General” tab).
  5. Choose Ask before showing.
  6. Click Save Changes at the bottom of the page.

Gmail is, of course, a huge player in the email space – and it will be fascinating to watch what this decision will mean for the future of legitimate email marketing communications, and for the spammers and cybercriminals who attempt to abuse the medium.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “Gmail starts scanning images in emails for malware”

  1. Nick

    This is a really stupid move. Google has been downgrading their security, from Youtube and the Google Plus linkage, to still having "Night Vision Spy Camera" as the #4 top free android game, even though its fake, puts a green tint over the camera, and has fake install and reviews. And now they are allowing images. Great! Now people can track your IP address just by emailing you. Gmail's assurance of scanning images means absolutely nothing. Is it going to be looking for just malware? Or IP logging images too? SMH. And I wonder if they left an option to disable it overall.

  2. Nick

    Nevermind my last comment. I read the whole article now. But I still think gmail's caching will not provide any security. I believe hackers will find a way around this.

  3. Stu

    You blurred out the name and email address in the first
    picture but left it unedited in the animated gif. Oops!

    1. Graham CluleyGraham Cluley · in reply to Stu

      Actually it's the graphic google used. So I doubt any real personal info shared :)

  4. drsolly

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.