Google's GMail and encrypted ZIP files
Thursday, February 26, 2009
I use my gmail account as a storage device--7GB is a lot of free disk space. I zip my files and email them to me. From time to time, I have sensitive data that I don't want google to look at (all right, google's programs). Because of this, I encrypt the zip archive with the strongest key possible (right now, it's a 256-bit key; this thing is virtually unbreakable). As it happens, google doesn't like if you do this, because its virus scanner can't read the file and it immediately flags it as a virus. If you've done this you know your messages will bounce.
What are you to do, if you really want to send that encrypted email to someone (or yourself)?
Simple: just change the extension of the file to something else. I change it to '.txt' and send the file. Google's virus scanner doesn't flag it and it sends fine.
Note that you can do the same for executable files, as google will not let you email anything that is a program (a file with an extension of .exe, .com, or .bat). So, change the extension from '.exe' to '.txt' and that's it.
Of course, when you download the file from gmail you have to remember to change the extension of the file back to its original.
This trick defies the purpose of the virus scanner: a stream of malicious binary data is floating around just waiting to be executed. At some point, google will catch up to our tricks and will make its virus scanner software smarter than what it is. Until then, happy emailing encrypted (or executable) files.
That could potentially be a new attack such that.
1. Hacker dude creates malicious binary and renames its extension to TXT.
2. Hacker dude crafts email telling users to rename file extension to EXE and run for a special surprise.
3. Hacker dude distributes email with seemingly-innocuous attachment.
Because many non-techies will fall for this, it will work, sadly.
Kind of strange that Google hasn't fixed it already. I've worked with email servers that scan the contents of the file rather than the name, to avoid the workaround you mentioned. Since Google is usually ahead of the technology curve, I would have expected them to do it already.
But it's good to know that a workaround does still exist.