Monday, December 14, 2020

Gmail Click-time Link Protections

Paul Haddad:

Apparently Google is now doing this thing where they modify your incoming emails and wrap links around their link tracking service? Started in mid Oct. and I see no way to opt out.


Because links to malicious websites can be sent in emails, Google adds link protection for all official Gmail clients (web, Android, and iPhone & iPad). Some of these protections are now available for some users that use a third-party email application (IMAP client).

For these users, clicking a link in a recent message starts a malicious link check. If nothing malicious is detected, the user is taken to the destination. For older messages, a window might appear, requiring a tap or click to open the link.

But this means that Google gets to see what you click on, and if you save a copy of the message from Apple Mail you don’t get the original data.

Lewin Day:

For a subset of users, it appears Google is modifying URLs in the body of emails to instead go through their own link-checking and redirect service. This involves actually editing the body of the email before it reaches the user. This means that even those using external clients to fetch email over IMAP are affected, with no way to access the original raw email they were sent.

The security implications are serious enough that many doubted the initial story, suspecting that the editing was only happening within the Gmail app or through the web client. However, a source claiming to work for Google confirmed that the new feature is being rolled out to G Suite customers, and can be switched off if so desired.


For some, the implications are worse. Cryptographically signed messages, such as those using PGP or GPG, are broken by the tool; as the content of the email body is modified in the process, the message no longer checks out with respect to the original signature.


It has since come to light that for G Suite users with Advanced Protection enabled, it may not be possible to disable this feature at all.


I can and have reproduced this for over a week now and have been hammering google & apple to fix it with no luck. Google says it’s an Apple issue and Apple says it’s a Google issue. The issue only appears to surface under specific use cases and always requires the user to have setup on macOS or iOS with the gsuite account/user set to type “Google” vs. “IMAP”. This seems to be the real pickle as all the following use cases below require this to be true for the link manipulation to occur. The same messages viewed in or in on macOS or iOS with the account type set to “IMAP” have their links left untouched.


Google support has been effectively useless. Apple support has honestly done more to shed light on the issue. However, both companies are blaming the other and refusing to escalate to engineering or get on a call with the other company to sort this out together. Of course, Google support claims nobody else is reporting this, while Apple support alerted me to this thread. Super frustrating all around. If you are a Gsuite user please report this so I’m not yelling into the wind here. I can also confirm for my account the issue started on October 6, 2020.

See also: Stop Gmail click tracking.


3 Comments RSS · Twitter

Presumably, if someone forwarded me one of these emails from their Gmail address, the wrapped links would be included? Or would that only be the case if they're using an IMAP client rather than the Gmail app or webmail?

@Alan Yes, with an IMAP client it would forward the wrapped links.

Leave a Comment