Mark as unread - gmail and yahoo
Hi, it has been some time since both gmail and yahoo has introduced this (Mark as unread) feature in their webmail access. if your mail account has been compromised (someone else figures your password), then the attacker can at will read your unread mail and then mark it as unread. When the 'mark as read' option was not available, a successful attacker would have to delete the unread email to do avoid detection, but then the sender will at some point of time inform the recipient about the mail that he never received. In both cases, the attacker can still read all the mails already read by the recipient but if the recipient has the habit of deleting(including trash) immediately after reading the mail, it helps the attacker to have a mark as unread option. As soon as the mail arrives, the attacker reads it and marks it as unread. Then the recipient gets to read it and he will immediately delete it. as far as mail clients such as Outlook goes, I think if it is deleted from webmail, it will not appear in your Outlook mail client (not sure, someone can confirm this). It may be better for security if there is no unread option. Moreover, Gmail allows you to see the last login ip to your email and the current session ip's but that won't help if the attacker is from the same organization (with a lot of computers connecting through the same public ip) that you use to access your email. Comments? Thank you, Sarad.
On Wed, 3 Jun 2009, Sarad AV wrote:
Hi,
it has been some time since both gmail and yahoo has introduced this (Mark as unread) feature in their webmail access.
if your mail account has been compromised (someone else figures your password), then the attacker can at will read your unread mail and then mark it as unread. When the 'mark as read' option was not available, a successful attacker would have to delete the unread email to do avoid detection, but then the sender will at some point of time inform the recipient about the mail that he never received.
In both cases, the attacker can still read all the mails already read by the recipient but if the recipient has the habit of deleting(including trash) immediately after reading the mail, it helps the attacker to have a mark as unread option. As soon as the mail arrives, the attacker reads it and marks it as unread. Then the recipient gets to read it and he will immediately delete it.
as far as mail clients such as Outlook goes, I think if it is deleted from webmail, it will not appear in your Outlook mail client (not sure, someone can confirm this). It may be better for security if there is no unread option.
So far,so good:I agree with both your opinions and analysis in support thereof. Unfortunately, I believe that every major reader (from PINE up) has the complained about functionality (I may very well be wrong here: FD). I routinely use this on PINE as a sorting measure (a way to force a re-read later on down the road)
Moreover, Gmail allows you to see the last login ip to your email and the current session ip's but that won't help if the attacker is from the same organization (with a lot of computers connecting through the same public ip) that you use to access your email.
Comments?
The only was I see any reasonable change of chaning this [fairly common] behaviour is with an RFC. Willing write one? Ill be happy to co-author, but there needs to be a primary.
Thank you, Sarad.
//Alif -- Yours, J.A. Terranson sysadmin_at_mfn.org 0xpgp_key_mgmt_is_broken-dont_bother "Never belong to any party, always oppose privileged classes and public plunderers, never lack sympathy with the poor, always remain devoted to the public welfare, never be satisfied with merely printing news, always be drastically independent, never be afraid to attack wrong, whether by predatory plutocracy or predatory poverty." Joseph Pulitzer 1907 Speech
participants (2)
-
J.A. Terranson -
Sarad AV