Potential Security Problem with Google Mail
Apr 23rd, 2025 by Viviane
If you have a Google Mail account, you must read this. Please cross post!
A blogger alerted me to a potential security problem with Google Mail. As you probably know, Google Mail can be set up to send email from your other email addresses. You can also forward email to one account.
If you’re like me, you have several email addresses. A primary one, and a separate one for your blog activities. So these tools make it very easy and you don’t have to log in and out of multiple email accounts (or perhaps you use the Gmail Manager plug-in for your browser).
Gmail also lets you set your ‘reply preferences’ so that you can reply ‘as if” from the forwarded address (http://tinyurl.com/ytb86h).
So let’s say I have an email account under my real name. Let’s call it ‘realname@gmail.com.’ And I have another email address for my blog. Let’s call that ‘blogname@gmail.com.’
I can have all that forwarded to realname@gmail.com, and reply from the realname address, thinking the recipients email will say, ‘from blogname @ gmail” (or whatever ‘reply-to’ address you set up).
The recipient WILL get an email saying, ‘from blogname@gmail.com.’
Here’s what this blogger experienced:
Here is the problem: If the recipient *also* has Google Mail, my ‘realname’ email is automatically added to their contacts list, even though they’ve never received an email “from” my ‘realname’ account.So there may well be people out there who are using one Gmail account as ‘primary’, which receives forwarded email from another account, who think they are replying to forwarded mail and think that the Gmail “reply as” function is preserving their anonymity, but it is not. Not if they are replying to someone with a Google Mail acct. The real Google Mail acct, the one they actually wrote the email from, will be auto-added as a contact to the recipients list of Google Chat contacts.
Most people (recipients) will not notice, not if they have had a Gmail acct for a long time–quick contacts only shows who you email most, and the new address will just be one on a long hidden list. If the recipient is someone with a brand new Gmail account, or someone who blocks contacts, it’s very, very obvious.
My friend who has more than one blog just answered a new sex blogger in this way, and got back an email saying, hey, are you also so-and-so? My friend called me and we checked this with my work Gmail, which I never list contacts on. Her ‘blogname” address appeared in my contact function immediately when she emailed me of course, but her primary one appeared there as soon as I replied to the ‘blogname’ address.
So this brand new blogger, a stranger to my friend, now knows about both her blogs. Fortunately it was only a blogging address and not one tied to her work, but it very easily could have been.
I did test this with another blogger and we weren’t able to duplicate it. However, we discovered something alarming. I added her ‘blogname’ address’ to my contacts list.
I then went into the Contacts list and pulled up this contact’s record and expanded it, by clicking on ‘Edit Contact’, and then ‘Add More Contact Info”. Under the ‘Personal’ section for email, was listed her ‘realname’ address.
As soon as I figured this out, I went into ‘Settings’ and deleted all the other accounts I was managing from the primary account.
If you’re concerned about your privacy, you should, too.
I’ve written Google Mail to advise them about this issue. And I’m checking my Contacts list and expanding contacts to see if I see any other email addresses in a contact’s record. I’ve found one contact already where I can see their other email address.
So glad you wrote this, Smart Girl Viviane. I sincerely hope this was just a weird fluke because I love having all my accounts together.
Thank you!
Viviane,
Thank you for this, I’ll cross-post as soon as I can.
AAG,
It’s not a weird fluke, unfortunately. “It’s not a bug, it’s a feature.” Look at what gmail says at the link Viviane posted:
Note : your Gmail address will still be included in your email headers in the sender field, to help prevent your mail from being marked as spam. Most email clients do not display the sender field, though some versions of Microsoft Outlook may display ” From customaddress@domain.com on behalf of yourusername@gmail.com.”
Bottom line: don’t answer email from any account but the one it was sent to, and do not enable the function that allows you to reply “from” a different address.
This has happened to me but in the reverse. I had an email yesterday from a person (who I’m now presuming, uses Gmail as their ‘from address’ or something), and noticed that the bottom of that email had an Outlook attachment. At first I thought it was a media file, I clicked on it, and it requested me to use Outlook to open it, and then what did I get? I got all their details, their professional title, as well as their place of work.
Fair enough, their email address did feature their place of work, but that’s not enough to isolate anything else, but this ‘vcf’ file, which is like a calling card, once opened with Outlook, contained their contact phone number and I haven’t told them, because I don’t want to freak them out.
Many thanks to O for bringing this to my attention in the first place, and to you Viviane for posting it here where so many people will find it. Always good to know how to protect ourselves
Scarlet x
Thank you for this post. It was very considerate of you to share this w/ your fellow naughty bloggers. Yikes! I can imagine all kinds of trouble with this type of thing. Kudos.
Quips & Chains Fetish Blog.
happened to me, too. luckily i caught it before anything uncomfortable happened. now i only log in via the actual account i want to use.
Goodness! Thanks for the heads up on this - it’s very useful to be aware of.
xx Dee