Are Internet cafe users' email credentials at risk?

Most browsers store all Web pages, including a user's message and other information, in a cache from which it is retrievable with relative ease. Expert Michael Cobb explains how to keep the personal data from getting into the wrong hands.

When checking email in a public place, is it possible for a user's message information to be stored in an Internet cache? Can it be easily retrieved? I've heard specifically about Gmail credentials being at risk, but is it an issue for corporate webmail accounts as well, and if so, how can it be avoided?
There are many different ways of checking email in a public place, but let's start with the Internet café scenario where you are using a Web browser on the coffee shop's personal computer. The default setting for most Web browsers is to store all Web pages, including a user's message and other information, in a cache from which it is retrievable with relative ease, whether the email account is with Gmail, Yahoo, Hotmail or a corporate webmail server.

Fortunately, it is also relatively easy to clean out this cache and other information related to your Internet café session, including cookies, after your session. You can use the browser menu (Tools/Internet Options in IE and Tools/Options in Firefox). In fact, this should be second nature to anyone who uses a public terminal to check email. A responsible Internet café will remind you of this; some even provide an automated end-of-session cleanup process. To be safe, however, make sure to do it yourself. You can also set a browser not to cache any pages, but this setting can slow performance, and it may not be available on a public terminal.

Some readers will be aware that Web pages themselves can be created with a "no-cache" setting. You can verify such restrictions when you view the page source of a message in Yahoo Mail, for example. The "no-cache" instruction is generally respected by the browser cache and caching servers used by ISPs. The latter are another place from which your email could be illicitly retrieved by someone with sufficient SRM: skills, resources and motivation. Anyone checking email in public places should have an "SRM index" in mind. Is the email so sensitive that someone would apply a serious amount of skills, resources and motivation to obtain it?

The specific vulnerability involving Gmail and Microsoft Internet Explorer, recently publicized by application security vendor Cenzic, requires serious SRM. Other attacks could be easier, like putting a keystroke logger on a public computer or "shoulder-surfing" to capture messages as a user types them.

If you are accessing email wirelessly in a public place, someone could be sniffing the airwaves. Therefore, your precautions and countermeasures should be appropriate to the sensitivity of the data that is potentially exposed. For example, if you have internal sales data that must be transferred securely, encrypt the information and send it as an attachment to a message that says something innocuous like "Here is the data you requested."

In other words, risk is relative. A good rule of thumb is not to send or receive mission-critical data from a public place via webmail unless your company has put some serious rules and safeguards in place and cleared you to do so.

More information:

  • Visit's Messaging Security School.
  • Learn about the webmail flaws found by researchers at Black Hat Conference 2007.
  • This was last published in May 2008

    Dig Deeper on Email and Messaging Threats-Information Security Threats