Gmail To Block JavaScript Attachments Due To Ransomware, Other Security Risks

Google announced that it will add .js (JavaScript) extensions to its list of restricted file extensions (such as .exe, .msc, and .bat) for Gmail starting February 13, 2017.

As Flash is being phased out, attacks based on JavaScript vulnerabilities may be the new go-to for malicious hackers. Late last year, a researcher had already found a JavaScript vulnerability in Yahoo Mail that could have allowed any attacker to eavesdrop on Yahoo customers’ emails.

Throughout the last year, it has also been observed that various ransomware families have begun to spread through email spam that sent malicious JavaScript attachments.

Email has always been an effective way to spread malware because people often click on the attachments they receive without taking any additional protections. Those extra protections would include opening the attachments in a better sandboxed environment (Sandboxie, as or a virtual machine, are two examples). It’s understandable why most do not, because it’s often too inconvenient to take such measures to read your email. Therefore, it’s up to email service providers to try and limit this type of malware risk as much as possible.

Where applicable, the browser’s sandboxing should also help. However, chances are the malware makers already take browser sandboxes into account and include ways to bypass them.

Blocking .js file attachments is bound to frustrate software developers who may use email to share JavaScript files with each other. Google has a solution for this, which is to use Google Drive, Google Cloud Storage, or other cloud storage solutions to share those files.

The new restriction is a part of Google's continuous efforts to improve Gmail security. However, we're still waiting for the end-to-end encryption feature that Google promised back in 2014 but has yet to deliver.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • ammaross
    Or just send your javascript file or snippet as a .txt. I'd assume most web developers are well aware of extensions.
  • velocityg4
    Although this is good for the average user. Google should provide the option for a user to manually override the security for a specific e-mail for any file extension or file. Just let them know the risks. They can then decide to override it if they so choose.

    I can understand trying to protect the average ignorant user. Just don't alienate advanced users in the process. Those who know how to judge whether or not an attachment is reasonably safe and don't blindly open attachments. Such as, you don't open an attachment you weren't expecting.
  • Software devs who can't zip their attachments probably have bigger problems than Gmail's new .js block.
  • firefoxx04
    I wont say where I go to uni at but we have year 2 and 3 students that do not know how to zip a project folder for their programming classes. It is pretty sad.
  • velocityg4
    19212359 said:
    Software devs who can't zip their attachments probably have bigger problems than Gmail's new .js block.

    Last I tried GMail looks inside zipped archives. Unless they encrypt it GMail still blocks it. Although they should encrypt it.