Michael Mimoso reports:
Google’s decision to automatically display images in Gmail messages has security experts on edge about the privacy and security implications of the move. Of particular concern is the ability of an attacker, or marketer, to learn whether messages are being opened, as well the possibility of an attacker spiking an image URL with additional attacks that could lead to denial of service conditions or worse.
Read more on ThreatPost.
This seems to be more a question of implementation. If Google pulls the image immediately and caches it, it actually increases privacy because the originator won’t know whether or not the recipient opened the email or not. However, the article indicates they are repulling the image every time the email is opened, which is not good. I also take issue with the idea that a malicious attacker could execute a DOS attack on a server by embedding an image from that server. I’m betting Google has either already thought of that or will implement something soon to prevent such an attack.