SecOps failure: GPG+Gmail on OSX Mavericks may store unencrypted drafts

A plaintext draft of an encrypted e-mail saved on Gmail servers, despite settings for no drafts to be saved.

If you're sending encrypted e-mail with the default Mail app on OS X Mavericks, your setup may be saving plaintext messages on the mail server. Mac-based users of the GPG encryption app began noticing this unfortunate behavior in October when using Gmail. Even after unchecking the "Store draft messages on the server" and "Store sent messages on the server" checkboxes, the changes would mysteriously vanish.

On Thursday, independent privacy and security researcher Ashkan Soltani was shocked to make the same discovery after finding that GPG-protected e-mails he received from others were stored unencrypted in the drafts folder of his Gmail account. The messages had been automatically saved immediately after he hit the reply button, just below where he would type his response. Like other Mavericks users, he had specifically configured his system not to save such messages when using the Internet Message Access Protocol (IMAP) in Gmail. Without warning, the unchecked checkmarks inexplicably reappeared.

"This is an example of things falling apart at the seams at the integration points," Soltani told Ars. "A lot of people don't use the Gmail browser. They just use Gmail for IMAP. I just happened to have Gmail in the browser opened. Most people wouldn't know about it. I was really shocked."

Read 3 remaining paragraphs | Comments