Google has introduced a new Gmail feature called “Confidential Mode,” which seeks to make sending and receiving important or sensitive emails more secure. Unfortunately, it may have inadvertently created as many problems as it solves.
Here’s how the new feature works, and why you may be leery of using it:
To send a confidential email, compose your message as normal, and then, click the “lock” icon located at the bottom of the email screen. When this button is pressed, you’ll be presented with a number of options that will enable you to specify a self-destruct time ranging from one day to five years. The email will auto-delete after the amount of time specified.
You’ll also be able to specify whether the email requires a password to open, and of course, giving you the ability to set that password. Also, a message sent in Confidential mode cannot be forwarded to any other user or be printed out.
The new service works across all email systems because Confidential messages aren’t actually sent. The user will get a notification that they’ve received a confidential mail, and a link to click to access it, which points back to Google’s own servers where the email is housed.
Given this, the sender of the message also has the ability to selectively remove access to confidential emails if one was inadvertently sent to the wrong recipient.
All of that sounds great in theory, but there’s a problem. That’s exactly how phishing attacks work.
Security professionals have sounded the alarm that hackers will quickly begin spoofing Google’s new service, pointing the links in their messages toward their own servers. When users are prompted to provide their login credentials to see the message, they’ll be handing access to their email account over to the hackers. Google has not yet responded to or commented on this flaw in their new system. Use with caution.
