Summary
When Gmail users send mail from mechanisms other than Google’s web interface (i.e.: their phone or laptop’s email program), Gmail includes the user’s IP address in message headers. This information disclosure lets recipients of these messages perform some privacy-invasive actions, such as:
- Approximate geographical location of the sender
- Correlation of separate Gmail addresses, but sent by the the same sender
- Broadband and / or cellphone provider
Users looking to send email in a manner that keeps this information private from message recipients should use either Gmail’s web interface or an alternative mail provider.
Discussion
Non-web email clients generally use the Simple Mail Transfer Protocol (SMTP) to connect and send mail via their mail service provider. Examples of these non-web email clients are the mail applications built into phones (Android, iOS) or desktop / laptop operating systems (Apple Mail, Windows Mail).
When these applications connect to Gmail’s SMTP server to send an outgoing mail, part of the protocol requires a “HELO” or “EHLO” message. RFC 821 describes this exchange as:
At the time the transmission channel is opened there is an exchange to ensure that the hosts are communicating with the hosts they think they are. The following two commands are used in transmission channel opening and closing: HELO <SP> <domain> <CRLF> QUIT <CRLF> In the HELO command the host sending the command identifies itself; the command may be interpreted as saying "Hello, I am <domain>". ------------------------------------------------------------- Example of Connection Opening R: 220 BBN-UNIX.ARPA Simple Mail Transfer Service Ready S: HELO USC-ISIF.ARPA R: 250 BBN-UNIX.ARPA Example 5 -------------------------------------------------------------
Most mail clients include the user’s public IP address and host name as part of this exchange, with Apple Mail even including the IP address on the internal network used to send the mail. One could argue that mail clients should not send this information as part of the exchange, but some SMTP servers validate that the actual IP address of the sender matches the content of the SMTP exchange as a form of spoofing protection.
As mail servers transport the message from its original SMTP server to the destination email server, much of this conversation is retained as part of the message’s mail header content. Microsoft has a good resource on how to see and interpret these mail headers here: https://support.office.com/en-us/article/view-internet-message-headers-in-outlook-cd039382-dc6e-4264-ac74-c048563d212c, but an example looks like this:
As you can see in the “Received: from” headers above, some SMTP severs redact the sender’s client IP out of the rest of the exchange, replacing it instead with the address of the SMTP server. Two examples of email services that perform this client IP redaction are Outlook.com (as above) and AOL.com.
Gmail’s SMTP servers do not perform this redaction, which provides the following data to recipients of the message:
Recommendation
Users looking to send email in a manner that keeps this information private from message recipients should use either Gmail’s web interface or an alternative mail provider.
Disclosure Timeline
March 9, 2020 – Reported to Google security
March 10-19, 2020 – Assisted with steps to reproduce
March 20, 2020 – Resolved by Google as “Won’t Fix (Intended Behavior)”
March 20-31, 2020 – Worked to confirm that there were no future plans to fix
April 2, 2020 – Got confirmation that the team was aware of the issue and has no plans to fix
from Hacker News https://ift.tt/2Xg7BzZ
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.