GMail + TIFF = ?

I’ve patiently waited for nearly a year after I reported this bug for the first time, but now I think it is time to file the report the second time and to amuze my readers. So, open your GMail and send an email with an attached little-endian TIFF image (grab the one you see in this post, I have been unable to find other files this exploit will work with). Below the message text, you will see a preview of your TIFF image. Or, rather, a preview of a *random* TIFF image (or so it seems).
A preview for another different image is shown in every message this TIFF is attached to; this is very dangerous as somebody could use this method to automate retrieval of images sent by other GMail users.
On the bright side, you don’t get to know who sent the images you see, and you only have the low-res preview to play with (if you download the TIFF file, you’ll see the correct one).

A file that causes such a vulnerability can be downloaded here. Please only use it to confirm the bug, and do not abuse it!

Update: Google has acknowledged my bug report as of 2009-10-26 08:00 MSD, and the TIFF preview feature in GMail has been disabled. The bug has been assigned ID #532113728.

This entry was posted on Saturday, October 24th, 2009 at 16:43 and is filed under google, security, web development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “GMail + TIFF = ?”

  1. Guzman Says:
    October 31, 2009 at 10:10 | Reply

    Hope they get a fix soon, I used this feature to rapidly preview and discard spam faxes.

  2. Jeroen Pluimers Says:
    November 20, 2009 at 11:34 | Reply

    Ah – now I understand why my FAX TIFF image previews have not been visible since a couple of weeks.

    I agree with Guzman, as I use it for the same reason: I hope the fix it soon.

    It helps though that the View option (that works through Google docs) works again: it was broken, but they have repaired it.

    –jeroen

  3. GMail + TIFF = ? « Scientia potentia est « The Wiert Corner – Jeroen Pluimers’ irregular stream of Wiert stuff Says:
    November 25, 2009 at 16:11 | Reply

    [...] Rumith found about the bug more than a year ago, then rereported it, and blogged about it (GMail + TIFF = ? « Scientia potentia est). Soon after his blog post got published, the bug got acknowledged (hopefully that is not cause and [...]

  4. jpluimers Says:
    December 9, 2009 at 6:55 | Reply

    Well, it works again, see here: http://wiert.wordpress.com/2009/12/08/tiff-preview-in-gmail-now-works-was-gmail-tiff-%C2%AB-scientia-potentia-est-%C2%AB-the-wiert-corner-%E2%80%93-jeroen-pluimers%E2%80%99-irregular-stream-of-wiert-stuff/

    • rumith Says:
      December 9, 2009 at 8:29 | Reply

      Well, at least for the old mail with the TIFF file I used before it doesn’t work for now.

      • jpluimers Says:
        December 9, 2009 at 10:02

        So, the conclusion is: some TIFF images work, but little-endian images not?

      • rumith Says:
        December 9, 2009 at 10:11

        I can’t tell for sure, this is the only little-endian TIFF file I have, and I do not possess any advanced image editor software to generate another one for testing purposes.

Leave a Reply