I’ve patiently waited for nearly a year after I reported this bug for the first time, but now I think it is time to file the report the second time and to amuze my readers. So, open your GMail and send an email with an attached little-endian TIFF image (grab the one you see in this post, I have been unable to find other files this exploit will work with). Below the message text, you will see a preview of your TIFF image. Or, rather, a preview of a *random* TIFF image (or so it seems).
A preview for another different image is shown in every message this TIFF is attached to; this is very dangerous as somebody could use this method to automate retrieval of images sent by other GMail users.
On the bright side, you don’t get to know who sent the images you see, and you only have the low-res preview to play with (if you download the TIFF file, you’ll see the correct one).
A file that causes such a vulnerability can be downloaded here. Please only use it to confirm the bug, and do not abuse it!
Update: Google has acknowledged my bug report as of 2009-10-26 08:00 MSD, and the TIFF preview feature in GMail has been disabled. The bug has been assigned ID #532113728.
Posted by rumith 