Slashdot Mirror

← Back to Stories (view on slashdot.org)

Does Gmail's New 'Confidential Mode' Make It Easier to Phish? (vortex.com)

Posted by EditorDavid on from the phish-me-if-you-can dept.

Gmail's new confidential mode lets its users create "expiration dates" for emails, or require recipients to provide an SMS passcode. (And Google also claims they've removed the option to forward, copy, download or print messages.)

But Slashdot reader Lauren Weinstein warns that Google is also opening up a new vector for phishing emails: The problem arises since non-Gmail users cannot directly receive Gmail confidential mode messages. Instead...when a Gmail user wants to send a non-Gmail user such a message, the non-Gmail user is instead sent a link, that when clicked takes them to Google's servers where they can read the confidential mode message in their browser.

The potential risks for any service that operates in this way are obvious. Those of us working on Internet security and privacy have literally spent many years attempting to train users to avoid clicking on "to read the message, click here" links in emails that they receive. Criminals have simply become too adept at creating fraudulent emails that lead to phishing and malware sites.

82 comments

  1. Okay Google... by Desler · · Score: 5, Insightful

    And Google also claims they've removed the option to forward, copy, download or print messages.)

    So then you just print screen or take a picture of the email and then just transcribe it?

    1. Re:Okay Google... by Desler · · Score: 1

      Also how can Google stop someone from doing these things if the recipient doesn’t use Gmail?

    2. Re:Okay Google... by Anonymous Coward · · Score: 0

      You get sent a link. Read the whole summary numbnuts.

    3. Re:Okay Google... by Anonymous Coward · · Score: 0

      google can only control a stock and unmodified (i.e. no user scripts or extensions that change google's expected behaviour) browser process that is accessing the not-really-secure-but-we-gonna-call-it-that-anyway email message hosted on google's servers separate from email.. anything else, you can do whatever the fuck you want.

      this "feature" is just trouble waiting to happen.

    4. Re:Okay Google... by Lunix+Nutcase · · Score: 1

      Yep. Sounds just as dumb as this.

    5. Re:Okay Google... by Anonymous Coward · · Score: 0

      This is a great way to get around malware filters. Just need to get 1 or 2 of these and I will have some postfix rules to autospam block, followed by a return email explaining this will never be accepted. Plonk, auto notify.

    6. Re:Okay Google... by Anonymous Coward · · Score: 0

      So then you just print screen or take a picture of the email and then just transcribe it?

      And you are guilty of breaking the DMCA for circumventing Google's DRM.

    7. Re:Okay Google... by Anonymous Coward · · Score: 0

      creimer lives in Dumbfuckistan. According to his MyLife reviews he is also fat and gay.

    8. Re:Okay Google... by Anonymous Coward · · Score: 0

      Sounds like the perfect excuse for I never read that email. If it doesn't come though as plain text, I don't read it. And knowing google it will probably report to the sender if the link were ever clicked as a read confirmation. So even more proof you never saw said message.

    9. Re:Okay Google... by kriston · · Score: 3, Insightful

      Yep. Like a marketing company that wanted to display product concepts in a way that the user could not save the image or print it.

      Print Screen aside, it didn't occur to them that the user could just take a photograph of the screen. This was before smart phones but after digital cameras and the Print Screen function (just hit PrtSc, open Paint, and Edit...Paste) had been there for at least a decade.

      --

      Kriston

    10. Re:Okay Google... by eddeye · · Score: 1

      And Google also claims they've removed the option to forward, copy, download or print messages.)

      So then you just print screen or take a picture of the email and then just transcribe it?

      Better yet - stop using gmail altogether. It's my email and my web browser. I decide what data to copy / forward / download... not some prick with a sloppy javascript hack.

      --
      Democracy is two wolves and a sheep voting on lunch.
    11. Re:Okay Google... by Anonymous Coward · · Score: 0

      It's even worse. Using Google's new "Confidential Mode" you don't even need to send me a confidential email. I can simply using any number of markup tools to create a fake image of an email that you sent and then take a photograph of the screen.

      When will Google ever learn.

    12. Re:Okay Google... by Anonymous Coward · · Score: 0

      I thought print screen/paste into paint was as old as windows 98, so it's before digital cameras were common.

  2. Attempt != Success by war4peace · · Score: 2, Funny

    "Those of us working on Internet security and privacy have literally spent many years attempting to train users to"

    So... tell me your success stories.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    1. Re:Attempt != Success by Ol+Olsoc · · Score: 1

      "Those of us working on Internet security and privacy have literally spent many years attempting to train users to"

      So... tell me your success stories.

      You have to admit, this is a hellava awesome attack vector. Just spoof a gmail confidential email - what ever could go wrong? Ima grab me some popcorn!

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:Attempt != Success by dizzy8578 · · Score: 1

      I quit trying to train lusers long ago. Too many corporate types training them to be insecure. Hiding extensions, active-x, hiding email addresses, link shortening, click link to install, auto-start. Idiot proofing forces the evolution of better idiots
      .

      --
      *"Cogito Ergo Liberalis"*
    3. Re: Attempt != Success by Anonymous Coward · · Score: 0

      Thing is, if the submitter really went back a long way, she would remember the various email âoeencryptionâ gateways that all worked exactly like this. They all failed because UX was utter shit. S/MIME with x509 certs/ keys is the only current proven solution and it doesnâ(TM)t do the drm that google is promising.

      Google is trying to compete with RMS that Microsoft is offering with o365 and I say good luck and lol to that. No DRM solution Iâ(TM)ve seen (and Iâ(TM)ve seen a lot) will succeed. RMS has a chance because of Microsoft ubiquity but I still donâ(TM)t hold much hope for it

      This will be a flash in the pan

    4. Re:Attempt != Success by Obfuscant · · Score: 0

      So... tell me your success stories.

      The Uni I work at warns people about phishing, and has an address to forward phishing attempts to to report them. Here's the success stories:

      1. Employees are required to fill out a timesheet once a month showing vacation, sick, etc days. This used to be paper. It is now a web form -- on a site external to the Uni but which requires a login using the Uni credentials. There are daily email reminders with a link to the site that start showing up on the first day of the month.

      2. The Uni purchasing people don't like it when people order things to do their jobs, so they make it as hard as possible. They have created a purchasing system using an external website with login using Uni credentials. SUCCESS!

      3. This purchasing system requires people who do manage to navigate the system and actually order something to "receipt" it after it arrives, and sends email reminders. The last reminders I got to do this began showing up at 9PM on Friday (long after I went home), and then again 9PM Sat., 9PM Sun, ... These emails have a link to an external website that requires logging in with Uni credentials. SUCCESS!

      I can't imagine that large corporations are doing better at this. Oh, wait, I know that some places are doing so much better. I am now getting regular email reminders from IEEE (you know, people who are supposed to understand computers and stuff) to log in to a website to agree to the new terms of service for IEEE web. It isn't an IEEE.org domain. These emails look SO much like spam that they are caught by the email appliance and automatically thrown in the spam folder (which it calls "RED" category).

    5. Re:Attempt != Success by Anonymous Coward · · Score: 0

      Getting the "IEEE" emails every other day. When you run a whois on the domain -- "mypinpointe.com" -- ICANN times out and GoDaddy says it is a private registration at namecheap.

    6. Re:Attempt != Success by Anonymous Coward · · Score: 1

      The "cloud" as a whole with corporate SSO integration is going to completely undo the years of hammering stuff not to do online and with email into peoples heads. I just recently started a job with a company that is somewhat in between the phase of a start up and "going corporate" Just about EVERYTHING they do is hosted in the cloud. It probably wouldn't take very much work to social engineer or click bait some corp login credentials out of these people.

    7. Re:Attempt != Success by Anonymous Coward · · Score: 1

      The way we do it is to have an internal domain where the resolver answers all subdomains directed at it with a CNAME, so timesheet.redirect.example.com points to redirect.example.com. On that address is a webserver where a simple Python script that checks the requested URL and host in an sqlite3 database. If found, it returns a 303 with the proper address, and if not found, returns a 404. That way, people only see internal addresses in emails and we can change the endpoint as the vendors demand without people having to change their bookmarks.

    8. Re:Attempt != Success by LQ · · Score: 1

      There are products like Mimecast's URL Protect that validate links and train users on link safety.

    9. Re: Attempt != Success by JackieBrown · · Score: 1

      Are you encrypting your apostrophes? Because I have to admit, you successfully made your post difficult for me to decrypt.

    10. Re:Attempt != Success by JackieBrown · · Score: 1

      Wow. Why in the world was this post modded down? I'm really curious what made this post worth downmodding?

      I am starting to think that Slashdot should change their no posting on stories you moderate and replacing it with requiring a public post (anonymous) explaining the reason for the mod

    11. Re:Attempt != Success by Anonymous Coward · · Score: 0

      Wow. Why in the world was this post modded down? I'm really curious what made this post worth downmodding?

      There are many trolls on Slashdot these days, and they have mod points. If you get on their bad side, they'll add you to their list of folks they don't like. Whenever they or their sockpuppet accounts gets mod-points, they will go through their list and use all their mod points to mod down comments (regardless of content) to try to trash their karma. It works, too.

      I am starting to think that Slashdot should change their no posting on stories you moderate and replacing it with requiring a public post (anonymous) explaining the reason for the mod

      Maybe. Slashdot's mod system is broken, and the admins are absent. The only staff Slashdot has now are editors who post stories. All the documentation for Slashdot is years out of date (remember meta-modding?), there's no way to raise any sort of issues with them. I didn't think anything could really burn me out on this site, even Beta, but trolls and bad actors have pretty much taken over in the last several years. Moderation abuse is wide-spread, and there's nothing to be done about it. Now I know why people have left their accounts and only post AC.

  3. SMS? WTF! by Anonymous Coward · · Score: 0

    require recipients to provide an SMS passcode

    What about those of us without a freakin' cellphone? Or without any text messaging plan?

    1. Re:SMS? WTF! by Lunix+Nutcase · · Score: 0

      You’re probably not a target demographic for this product then, gramps.

    2. Re:SMS? WTF! by viperidaenz · · Score: 1

      email

      What about those of us without a freakin' internet connection?

    3. Re:SMS? WTF! by Desler · · Score: 1

      No worries, Methuselah. They can send it on papyrus or stone tablet. Whichever way you’re accustomed to receiving messages.

    4. Re:SMS? WTF! by Anonymous Coward · · Score: 0

      You're in your 50s asshole. Don't try to be younger.

    5. Re:SMS? WTF! by JackieBrown · · Score: 1

      Google has you taken care of... sign up for google voice :)

  4. So what? by Anonymous Coward · · Score: 0

    If your users are trained to not click on the links then the service will fail because nobody gets the message. Do you have it out for anything google? It's always something.

    1. Re:So what? by green1 · · Score: 2

      That's fine really, because I have yet to come up with any legitimate reason to use this "service". If someone sends me one of these, I'll just send it to spam right away because there's no way it's a legitimate email.

      I would recommend that anyone running a mail server should probably do that system wide.

  5. ...have literally spent many years by Anonymous Coward · · Score: 0

    LITERALLY!

    Now, where can I get these years to spend? Lauren. A girl? A guy with a girl's name? LITERALLY!

    1. Re:...have literally spent many years by viperidaenz · · Score: 1

      Don't expect a reply.
      Over 300 story submissions and only 8 comments, none in the last two years.

    2. Re:...have literally spent many years by Anonymous Coward · · Score: 0

      It’s a “trans man.” It’s just some chick with a dildo strapped on that takes testosterone pills.

    3. Re:...have literally spent many years by Anonymous Coward · · Score: 0

      Don't expect a reply

      And that's the ultimate problem with this whole idea.

      It reminds me of years ago when I tried to use boxtrapper. Nobody ever responded to my emails because they'd get and very simple and descriptive email sent to them telling them exactly what they needed to do to get my messages.
      I asked a friend, "Hey, did you get my email?"
      "Oh, I did get some link or whatever so I just deleted it"

      I will be handling these emails exactly the same way.

    4. Re:...have literally spent many years by Desler · · Score: 1

      That wasn’t what they were talking about. They were saying to not expect a reply from Lauren Graham who submitted their own blog post as the story.

    5. Re: ...have literally spent many years by Anonymous Coward · · Score: 0

      Because he's a Google PR shill, not a participant in the community.

  6. Yes. by DogDude · · Score: 1

    Yes. It'll make it incredibly simple to fish not only Gmail "users", but also people who receive email from Gmail "users". If this is implemented, I'll just set our mail servers to send all of these messages straight to the trash.

    --
    I don't respond to AC's.
    1. Re:Yes. by Anonymous Coward · · Score: 0

      If this is implemented, I'll just set our mail servers to send all of these messages straight to the trash.

      YOUR mail servers? Does your boss know about your plans to trash these messages, by the way?

  7. This is nothing new. by Anonymous Coward · · Score: 0

    Like:

    https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/

    "Victim clicks the link...enters his/her valid account credentials, progresses through two-factor authentication challenge"

    Nothing new here.

    1. Re:This is nothing new. by Anonymous Coward · · Score: 0

      Nothing new to see here.

  8. Chiill, bro by Anonymous Coward · · Score: 0

    Take it from Google Asshole Shawn Willden, aka Shillden, phishing must be a Really Good Thing, since GMail facilitates it.

    1. Re:Chiill, bro by Anonymous Coward · · Score: 0

      Grow up, AC, be a better person. Ad hominem won't do you any good in life.

  9. Ad company by AHuxley · · Score: 1

    has to ad.
    So the service links have to stay deep in their free networks to ensure the encrypted ads get seen by consumers.

    --
    Domestic spying is now "Benign Information Gathering"
  10. Microsoft has had this service for awhile by BLToday · · Score: 2

    Microsoft has had this service for awhile: confidential and expiring email. If you’ve done a loan or bought house in the last two years, you may have encountered it. Usually the loan or escrow company calls me ahead and tell me to expect it. So the best practice for these type of emails would be don’t click unless you’re expecting it.

    1. Re:Microsoft has had this service for awhile by Desler · · Score: 1

      Also don’t be naive enough to believe that the email actually disappears.

  11. Amazing by Anonymous Coward · · Score: 0

    Google has invented a new way to send emails that you'll never know whether anyone will actually read it!

  12. OK by cascadingstylesheet · · Score: 1

    This is at least the second " Slashdot reader Lauren Weinstein " story in as many days.

    Both have been some kind of speculative ... stuff.

    So, what's the deal? Why is she (or "she" - have you actually met her?) the new Jon Katz?

    1. Re:OK by Anonymous Coward · · Score: 0

      It’s a he and this dude has had his shit posted to Slashdot for years. He’s more like Bennet Hasselton than Katz.

    2. Re:OK by Zocalo · · Score: 1

      He's a US blogger that spams every single post to his personal blog to the Slashdot submissions queue and then somehow manages to get it almost instantly upvoted to a red rating, presumbly as some kind of lame attempt at SEO and generating views. (Note that I'm assuming that the Slashdot config isn't so lame as to have the queue indexed due to the amount of spam that gets posted to it, presumably also for attempted SEO via backlink reasons). It's mostly opinion pieces, often misguided and/or misinformed, and cribbing off ideas posted by others, e.g. myself and several others raised and discussed this very possibility in the original Slashdot story on Confidential Mode. I'd say less like Jon Katz, and more Bennett Hazleton from back in the days when Slashdot was still owned by DICE, only even more desperate for page views.

      --
      UNIX? They're not even circumcised! Savages!
  13. Oliver North tested and approved... by Anonymous Coward · · Score: 0

    Nuff said.

  14. This will last about as long as google plus by Anonymous Coward · · Score: 0

    google what?

  15. Obvious solution by just+another+AC · · Score: 2

    Everyone in the world should just use Gmail then. Duh!

    Cheers
    L. Page & S.Brin

  16. WTF by Anonymous Coward · · Score: 0

    Google must know that there is such a thing as a camera and at the moment the email is read from a screen. Any one who wants to forward it will just take a picture(s) / video and forward it along.

    The most odd part is that non-gmail users would not be able to read these messages. That sounds less like email and more like a Google Garden to me!

    Whom ever hatched this idea is a little bit ahead of themselves. Maybe when you have google nano particles in your Brain and you have the incoming message beamed into your eyes, then this may make sense. However, even then there will probably be some hack to make forwarding a copy possible (even if it illegal).

    I can see the use of this if your company is using Google Apps (avoid accidental forwarding of confidential information). But beyond that it really makes very little sense.

  17. I saw this long ago on other security sites by Anonymous Coward · · Score: 0

    I saw this long ago on other security sites. Weinstein's stealing others' material claiming it as his own.

    1. Re:I saw this long ago on other security sites by Anonymous Coward · · Score: 0

      https://nakedsecurity.sophos.c...

  18. And if you use POP? by fahrbot-bot · · Score: 4, Insightful

    How does this work if you use POP (or IMAP) to get your messages from Gmail using, say, Thunderbird? If I get a link, I imagine I'll either ignore confidential mode messages or send a reply asking the sender to not be a dick and try again.

    --
    It must have been something you assimilated. . . .
    1. Re:And if you use POP? by Zocalo · · Score: 1

      You get the link to the webpage, same as any other system that Google doesn't have 100% control over. You'll only get the original email through the GMail web interface, GMail App, or the click-through page. In otherwords this entire system hingles on the ability of Google to successfully block "Save As" functionality (e.g. an arms race with browser plugin authors that attempt to keep it enabled), convince people that it actually has value, and that mail admins won't simply start blocking the emails outright due to excessive abuse in phishing attempts.

      --
      UNIX? They're not even circumcised! Savages!
    2. Re:And if you use POP? by Moskit · · Score: 1

      "Legacy" POP3 and IMAP will eventually be disabled, as they don't offer full range of modern features to the minority of users. It will be likely justified by lack of security (2FA?).

  19. Dear Google ... by fahrbot-bot · · Score: 1

    This Confidential Mode "feature" seems problematic and/or just a way to force people to interact with your servers. It adds a non-standard operational mode to Email and will cause problems and security concerns (like the aforementioned Phishing concern) for people who use email clients, like Thunderbird, with POP / IMAP to access their email -- not everyone likes using a browser (or your mobile app) for email. Stop making things unnecessarily complicated. If you're committed to supporting this impending dumpster-fire, please add a way for people using regular Gmail accounts to specify that they don't want to receive Confidential Mode messages.

    To summarize: Dumb, Do Not Want

    --
    It must have been something you assimilated. . . .
  20. Speaking of Phishing attempts ... by fahrbot-bot · · Score: 2

    So Google will send non-Gmail users (and presumably Gmail users using POP/IMAP) an email containing a link to the actual confidential email. But the first rule in *every* spam and anti-phishing training course -- which people are routinely required to take at work (I know I was) -- is: Don't click on links in email messages. Nice going Google.

    --
    It must have been something you assimilated. . . .
    1. Re:Speaking of Phishing attempts ... by Anonymous Coward · · Score: 0

      That was the entire point of the summary

    2. Re:Speaking of Phishing attempts ... by Anonymous Coward · · Score: 0

      Captain obvious, meet lieutenant obvious...

  21. How does one block this moronic misfeature. by Anonymous Coward · · Score: 0

    No, I don't want magic emails from idiots.

  22. Lauren "Down With Free Speech" Weinstein by Anonymous Coward · · Score: 0

    Why does Slashdot continue to publish submissions from well-known fascist, vigorous enemy of free speech, and shameless Google shill Lauren Weinstein?

  23. Re: No gmail in prison - nor privacy by Anonymous Coward · · Score: 0

    Good work, Billy! $0.50 has been deposited in your Shareblue account.

  24. Assholes. by Anonymous Coward · · Score: 0

    This is just one more attempt at slowly killing mail.

    Mail, as a decentral thing, pisses off the biggies, who would rather see their users jailed up in their respective silos.

    Listen, Google, Microsoft, Apple, Fakebook et al: you are parasites. Humankind doesn't need you and would be better off without you.

  25. This explains why they keep nagging that I should by Anonymous Coward · · Score: 0

    I definitely will not install a Google email client. I will use an email client of my choice.
    Anyway I am not actively using gmail.

  26. Simple by Anonymous Coward · · Score: 0

    Don't click on links in emails. If someone sends you such a bullshit email, report it as spam.

  27. Phone # harvesting by Moskit · · Score: 1
    Google was until now collecting your phone number directly from you, if you had a Google account.

    Now if the sender wants to use "confidential" mode on email to you (apparently regardless if you have gmail or other account), he has to provide Google your phone number so that SMS passcode can be sent.

    Clever marketing people just bought a bunchload of useful private information input by "Mechanical Turks" paid with "security". As already pointed out many times here it is painfully easy to screenshot those "confidential" emails and to forward them as picture files.

  28. Re-inventing PGP and S/MIME badly. by DrYak · · Score: 2

    Also why is Google trying to re-invent PGP and S/MIME, badly ?

    These already work nicely for confidential information :
    only the person holding a private key for which a message was encrypted can every see the actual message.

    If an encrypted message ends up in the wrong hands, that mistaken destinary will NOT be able to open it anyway due not missing the private key.

    The only difference is that a *decrypted* message could be copied-and-pasted from and a user could end up repackaging the information in another (non encrypted) message.
    Whereas here, GMail's confidential mode pretends to do something to prevent copy-paste and printing... and in practice is completely failing at it just as suggested.

    You cannot trust somebody else's computer to do what you want to do. No matter how much clever javascript you put into your stupid stuff, at best you're still vulnerable to good old "analog hole" (i.e.: take a picture with a camera as suggested), at worse the target browser can be told to ignore any anti-printing hooks (e.g.: just hold "shift" while right-clicking, you'll get the default browser alt menu, no mater what the javascript tries to overload).

    The only thing that you can trust is that, thanks to correctly executed cryptography, your message reaches its intended destination without any unwanted 3rd party able to peer along the way. Once the intended person has de-crypted it, you cannot control anything.
    PGP (such as GPG, EnigMail Thunderbid plugin, Mailvelope browser plugin, etc.) and S/MIME have solved this a long time ago (with difference in the way trust is handled)

    No need for google to invent a poorer solution... Oh yes, I get it. Current working solution happen to *also* prevent Google from peering into your e-mail, so they cannot contextualize and get less efficient at selling your eyeballs to advertisers, and earn less money. That's why they need a poorer solution than PGP and S/MIME.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Re-inventing PGP and S/MIME badly. by JackieBrown · · Score: 1

      Your solution still works. They didn't break that.

      This works for those people who want some extra security without having to walk family that live across the country how to decrypt the email they just got from you

  29. Call to Action by ericlondaits · · Score: 1

    Google already detects phishing emails and will most likely detect any pretending to be one of its own. But I have news from the year 2018... I get emails with links ALL THE TIME: Amazon suggestions and offers, gift cards, social network notifications, security advisories, updates from services I'm a customer of, etc. So if you want to prevent users from clicking on links received by email you already lost that battle.

    ... and phishing with emails pretending to be from the bank, FedEx, a social network or Microsoft are older than GMail and this adds nothing new but a new case that's the easiest to detect.

    --
    As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
  30. In order to protect confidentiality by WoodstockJeff · · Score: 1

    Everyone should immediately delete the notifications, rather than worry about whether or not they're phishing attempts.

  31. Or it'll be a failed feature by ripvlan · · Score: 1

    I don't click links - that's how all spam comes. We've spent years teaching people "don't click Links in email - even if it comes from a friend -- it might be phishing"

    Therefore - many people will look at these emails with suspicion and recall "don't click the link" -- thus turning this product feature into Allo. Did anyone click the SMS link when a friend sent you a message?! nope. Dead product.

    of course my personal demographic probably won't use this feature anyhow. As Mark Z (sort-of) said, "If you aren't doing anything wrong, what do you have to hide?"

    Bill Gates would like to send you a message - please click this link to win free money!!

  32. Of course! by HiThere · · Score: 1

    The only question in my mind was which crimes did Google intend to make easier to hide with this new feature. My guess is it was intended to make corporate crimes easier to hide, and that making phishing easier was just a side effect.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.