Mark as unread - gmail and yahoo

J.A. Terranson measl at mfn.org
Wed Jun 3 16:41:16 PDT 2009 

On Wed, 3 Jun 2009, Sarad AV wrote:

> Hi,
> 
> it has been some time since both gmail and yahoo has introduced this 
> (Mark as unread) feature in their webmail access.
> 
> if your mail account has been compromised (someone else figures your 
> password), then the attacker can at will read your unread mail and then 
> mark it as unread. When the 'mark as read' option was not available, a 
> successful attacker would have to delete the unread email to do avoid 
> detection, but then the sender will at some point of time inform the 
> recipient about the mail that he never received.
> 
> In both cases, the attacker can still read all the mails already read by 
> the recipient but if the recipient has the habit of deleting(including 
> trash) immediately after reading the mail, it helps the attacker to have 
> a mark as unread option. As soon as the mail arrives, the attacker reads 
> it and marks it as unread. Then the recipient gets to read it and he 
> will immediately delete it.
> 
> as far as mail clients such as Outlook goes, I think if it is deleted 
> from webmail, it will not appear in your Outlook mail client (not sure, 
> someone can confirm this). It may be better for security if there is no 
> unread option.

So far,so good:I agree with both your opinions and analysis in support 
thereof. Unfortunately, I believe that every major reader (from PINE up) 
has the complained about functionality (I may very well be wrong here: 
FD). I routinely use this on PINE as a sorting measure (a way to force a 
re-read later on down the road)


> Moreover, Gmail allows you to see the last login ip to your email and 
> the current session ip's but that won't help if the attacker is from the 
> same organization (with a lot of computers connecting through the same 
> public ip) that you use to access your email.
> 
> Comments?

The only was I see any reasonable change of chaning this [fairly common] 
behaviour is with an RFC. Willing write one?  Ill be happy to co-author, 
but there needs to be a primary.

> Thank you,
> Sarad.

//Alif 

-- 
Yours,
J.A. Terranson
sysadmin_at_mfn.org
0xpgp_key_mgmt_is_broken-dont_bother

"Never belong to any party, always oppose privileged classes and public
plunderers, never lack sympathy with the poor, always remain devoted to
the public welfare, never be satisfied with merely printing news, always
be drastically independent, never be afraid to attack wrong, whether by
predatory plutocracy or predatory poverty."

Joseph Pulitzer
1907 Speech

More information about the cypherpunks-legacy mailing list