Slashdot Mirror
G-Archiver Harvesting Google Mail Passwords
Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."
Oh, wait...
"The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in [CC] the product."
Right. And I have a bridge I'd like to sell you too.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Maybe _this_ is why I'm getting more spam in my gmail account lately?
If it isn't, surely someone had a boner after reading the article and is coding as we speak...
If you're debugging, you already have the account details. What possible reason could you have to email them to yourself?
Trust me, trust me not, trust me, trust me not.
Oh damn, there goes my password.
Do you believe the developer? What debug code needs to send an email containing user account information?
Trying to become famous by taking photos. Visit my homepage please.
If this was a big company, they would have denied it and gone after him under the DMCA. At least the admitted to something and pulled to product.
You don't have to work in IT to know that there is no reason for G-Archiver to send the password to anyone but Google. This guy deserves to be prosecuted under anti-hacking statutes.
Good intentions and all, but I'm sure Mr. Brooks just opened himself up to "hacking" charges.
Looks like someone got caught with their pants down in the cookie jar. That's not nearly as hot as it sounds.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
...and if you email usernames and passwords to
yourself -- like many folks do -- man, you are
looking to get punished like this. This is
especially true if you use public terminals.
(I know, I know. Not the same thing. Still...)
How to Download YouTube Videos
You have 6.5 gig of space on redundant remote servers. What are you backing up? Perhaps I do not understand what this application does and who needs it...
Ask not what you can do for your country. Ask what your country did to you
what can be explained by incompetance?
Although in this case, that's some serious incompetance going on!
It doesn't mean much now, it's built for the future.
And this, children, is why you should never ever give the password to your account to someone else. Not even someone who claims to want to do something for you. Once you've given it to them, you have no control over what they do with it.
I'm almost willing to believe the G-Archive excuse that its debug code. From the screenshots posted online of the inbox (before it was deleted) I only see e-mails marked as unread. If the entire inbox is filled with unread e-mails then I'm willing to believe it was a throw-away e-mail account used for testing/debugging. Also this kind of "bug" seems really blatant and certainly headed for an easy discovery. I'd expect a more obfuscated means of transmitting the username and password, were one so inclined to bug the software.
However 1,777 seems a bit small for "popular software" if this represents every install since the bugged software was released. Furthermore, how does e-mailing a password to a random account help in debugging the software?
I'm almost willing to believe in human stupidity as the reason this happened, but not quite.
Suppose you want to harvest all users' emails by simply mailing them to your own account. Why on h^Hearth do you need the password of this account to be written in the source code?
My first program:
Hell Segmentation fault
For: Everybody can check the source.
Against:
(1) But because most users/people generally are not qualified to do so, there is a significant risk of damage being done already by the time the qualified users/people do.
(2) IT quacks can cause such loopholes and there really aren't many, if any at all, people around to be accountable for it.
Sucky blow for OS.
So why did the binary program also have the password for the gmail account? One would assume that the email address would have been enough. After all, sending someone email doesn't require their password.
Just sayin'..
Also, I'd be very surprised if this wasn't intentional. Not likely "debug" code.
1700+ email accounts isn't much, considering the volume of gmail. And then those accounts would have to be able to be linked to something, if one were to try to exploit it.
I'm really surprised it's sub-2000. Goes to show not many people use it.
Since the password of the email account was changed, it couldn't upload any further data either.
how about that guy who modified the login program to give him a backdoor hard-coded password and username? then he modified the compiler to recognize when it was compiling login and automatically insert the code, and deleted that code from login so it wouldn't be apparent in a code review. then he modified the compiler to recognize when it was compiling itself, and insert the code to modify both itself and login, and then deleted that code from the compiler as well. now there ain't no code to do that in the source code no more, but it does it anyway. eh?
I'm supposed to believe that some coder was logging passwords by accident? Right, and i'm just writing code for an online store and I just happen to be keeping copies of all CC #'s on my personal computer, just for debugging.
(Evil Laugh) Debugging straight to the bank!
Isn't the whole freakin point of GMail that you don't have to backup?
10 ?"Hello World" life was simple then
It would have been nice if the dude who uncovered this had emailed those concerned to let them know their accounts have been potentially violated. I use Gmail for 2 primary addresses and would like to know if my name was amongst the 1700 there. Deleting them all was good work but informing them too would have been nice (and probably not too hard).
Did they save a list of the accounts that had the password stolen? The scumba^k^k^k^k^k "programmer" could have already downloaded the messages via POP before the author changed the account's password.
Maybe I'm getting old, but this seems like a pretty clear case of "oh crap, I'm an idiot", rather than "mwuahahah, my plan for global domination proceeds apace!". According to the posting on codinghorror, the guy who found the issue (Dustin Brooks) found that the creator, John Terry, of the G-Archiver software had left his own email information in the code. Yes, the G-archiver forwarded a record of the account information of everyone who used the app to that mailbox, but if you look at the screenshot, none of those emails has been flagged as read by gmail (but maybe that's an artifact of a POP connection?).
Either way, this just smacks to me of a novice developer doing something incredibly dumb, rather than incredibly malicious. If he actually wanted to just collect other people's account information, why leave his own in the source code? He could have just as easily forwarded the information to an anonymized email account, or simply an account for which the login information was not present in source.
Just my opinion, I reserve the right to be wrong.[...]
Google's statement continues. "We are investigating this incident, the underlying activities of which violate Gmail Program Policies. We have suspended the suspect account, and are in the process of notifying the owners of those accounts whose passwords may have been compromised. It's unfortunate that fraudsters continue to use email for these purposes. We have phishing detection capabilities built into Gmail, so we were able to act quickly to limit the impact of this particular attack." I have never read Google's Privacy Policy but am slightly concerned that they appear to be able to access emails after their deletion.
"Madness is something rare in individuals - but in groups, parties, peoples, ages it is the rule." -- Nietzsche
Seriously, though, this is why I use the greasemonkey extension for firefox to do things like this. It allows you to add your own javascript to certain web pages. For example, the better gmail set of scripts provides a variety of enhancements, and there is a tool that lets you add a bcc to every mail (which is how I back up my sent mail).
The best part is that all the scripts are javascript, so even if you have the most rudimentary understanding of just about any programming language, you can easily figure out what the scripts are doing. No decompiling or reverse engineering needed.
Although I risk sounding like an ideologue for saying this, this once again shows how open source programs are inherently more secure than closed source.
weirdest thing I ever saw: scientology advertising on slashdot.
I stopped using shareware and only use open source software. You never know what kind of crap the programmer might have stuck in there unless you can read the source yourself.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
There are better ways to email someone's userid and password to yourself without giving away your own password.
Like SMTP.
by using a protocol analyzer to recover my OWN login and password for my side of the company's intranet. Turned out that the web software we used (can't remember the name, but it was not front phage, but it was indeed popular at the time) was harvesting or retaining ALL USER ACCOUNTS names and passwords. I became scared shitless because I was not sure how IT would feel. But I was former IT in the company and felt obligated to warn them that the vendor was conducting shitty coding processes and put not only OUR company at risk but other companies as well. If they had any diagnostic or call-home code in their web site building software, then potentially a corrupt employee in their company could gain some limited or full access to many companies' intranets if they gained physical access to the building. And, we all know about piggy-backing, where thieves waltzed in behind other employees, then proceeded to lift laptops, purses, keys, wallets, documents, whatever they could steal.
..
DAMN, I wish I could recall the name. I may
Here we go... I'm PRETTY damned sure it was NetObjects Fusion. Just googled "Year 1999 web building applications intranet web" and they were at the top of the list... I preferred it over front phage, but...
And, now that I Google "Year 1999 protocol analyzer sniffer packet" it seems to refresh my memory that I am PRETTY sure Sniffer Basic was the tool I used.
Of course, after that I never used any such tool on the LAN. But, being formerly in the IT department, and knowing what to look out for to help the company probably kept me out of trouble.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
What twisted, warped world do you live in where it is unethical to stop a crime-in-progress?
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
I would have collected the email addresses and sent them an email telling them their account has been compromised and that they should change their password. I wouldn't use something like this, especially since POP3 is available in Gmail, but what worries me is that one of the Firefox extensions that I use may do this.
I call shenanigans, everyone get your brooms!!!!!
Thank goodness for people with decompilers and sniffers and such that actually check the software they use for malicious behavior. If it weren't for you guys I'd never be able to trust the software I use. Again, thank you.
I love that "a member of our development team" as if it took 10 to 20 people to design, test, and produce this code.
There was a line in Dilbert once:
Dogbert: Do you know how they say if you have an infinite amount of monkeys given an infinite amount of time, you could reproduce the works of Shakespeare?
Dibert: Yes?
Dogbert: I'd give this three monkeys and 20 minutes.
That sounds about right.
The real sad thing about this software is that the company charges you $30 for this dinky little
Well... it is possible.
Engineering is the art of compromise.
Coding Horror has an article (http://www.codinghorror.com/blog/archives/001072.html) regarding the hack. Included in the comments are some people who used Reflector to check what the source says. It looked to me like someone didn't know how to send emails to himself. But it could be some debugging code...
When you delete e-mails (even if you hit "Delete Forever"), GMail does not actually delete your e-mails right away. All that happens is you can't see them any more. Google has been rather forthright about this from day 1 of the Beta; it raised a big furor when GMail was first released.
From the GMail Privacy Policy: (which is blessedly short, and in English)
"You may organize or delete your messages through your Gmail account or terminate your account through the Google Account section of Gmail settings. Such deletions or terminations will take immediate effect in your account view. Residual copies of deleted messages and accounts may take up to 60 days to be deleted from our active servers and may remain in our offline backup systems."
SirWired
If this was an honest mistake, it's the kind of mistake you can go to prison for.
How many corporate in-house software packages have similar "forgotten" security issues?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Don't forget to be sure the binary doesn't contain anything its source doesn't, you have to trust the compiler (or similarly compile its source)... and the compiler's compiler... and so on.
Pretend that a bunch of stuff was stolen from your house. Say, a bunch of valuable sports memorabilia. Now, say that you learn that it's being fenced off in a hotel room. Say in Las Vegas. Now, should you:
1) Contact the police and hope they respond quickly
or
2) Pick up a couple of buddies and go down to the hotel to "stop the crime-in-progress"?
He's getting rather old, but he's a good mouse.
He did it so he could more easily troubleshoot support calls on his new "Unix" operating system.
Cretin - a powerful and flexible CD reencoder
There are times you have to give out password, what if I am using Thunderbird or Outlook.
What I do see making sense is that if you give out passwords, it should be to trusted reputable softwares or at the very least to OSS.
It was 1700 e-mails in the account at the point at which someone else found it.
From the sources, I don't think we can be sure that there weren't many more over the life of the software that were cleared out earlier. If the G-Archiver guy had access to some kind of GMail archival software, he could easily make a local backup of them, say, once a week and delete what was there, figuring someone would eventually get wise to it.
In this case, you can probably use "his." "Oiled his snake," no?
Shop as usual. And avoid panic buying.
What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version.
Just a few suggestions:
1) Use source control and know how to use it. Know how to tag releases and when your code is 'frozen' and ready to ship. Communicate.
2) Know how to use your source control to ID recent changes. Review recent changes.
3) At least know how to use diff, for Christ's sake. Diff your code and look for recent changes.
4) Just a thought, you might want to move your soon to be released code to another repository. Just a thought.
5) LART any programmer touching the soon to be released code without communicating or following through (i.e. removing debug code). If the said programmer is a cowboy, move that programmer over to sales.
6) Dare I say it, QA and code reviews. Even short-cycle extreme programming has de facto code reviews in that 2 programmers check each other's work.
As projects get larger and more complex, version control get harder. But a few basic rules can help out.
putting the 'B' in LGBTQ+
Oh, by the way, you realize that lots of people are paid to audit OSS code before they deploy it in their company, right? The ability to do this is actually a selling point for a lot of companies. (and unless the software has got a built-in ansible, that should be good enough for almost all applications.) What are you talking about?
weirdest thing I ever saw: scientology advertising on slashdot.
Or he created a second Gmail account which he would log in to at a later date to use the passwords maliciously. The fact that they are unread is suspicious to me as I don't go 5 minutes without knowing if I have new e-mail or not. If I was bombed with email addresses and passwords for days on end, I think I would know something was up with my software and deleted the account myself plus preemptively told others to stop my software until the bug was fixed. That's just my ethics, I guess.
Had any of the emails been looked at?
If they were all unread, and if the last login on that account was like forever ago, then maybe the developer's story is the truth.
But this is a key example of where open source wins, because most eula's will have a don't decompile clause.
Now watch this guy get arrested on either a DMCA or Network Intrusion charge for "doing the right thing" in 3... 2... 1...
It must have been something you assimilated. . . .
I think that your analogy is flawed. OJ didn't stop a crime in progress that he just stumbled upon - it was quite pre-meditated and there was plenty of time to get the cops involved. It also was not a crime that he was stopping - in fact he was the burglar - but that is beside the point.
This guy stumbled upon a crime-in-progress as he was investigating. To get the cops involved may have meant time for more victims to fall for the scheme, especially given that finding a geek cop would take considerable time and effort. He alerted the proper people as to what he had done.
If you really want a real-world analogy it would be like stumbling upon a guy sifting through your neighbor's trash and putting choice pieces of mail into a bag. As you pass by, you silently pick up the bag and alert your neighbor. You didn't HAVE to pick up the bag, but it certainly wasn't unethical to do so. Of course, on the internet there is no immediate threat of physical violence so the correct action is even more clear.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
"Never attribute to malice that which can be adequately explained by stupidity"
Although in this case I think stupidity might not be an appropiate term. Unless you have oversight (either peer or some other form) it's quite easy to accidently leave deubugging code in a release. I'll hold my hand up and say I've done it; any programmer who says they haven't done it - or at least something similar - is either delusional, hasn't noticed yet or is a downright liar.
Yeah, I had a sig once; I got bored of it.
The world isn't so black and white. You should only leave a crime scene alone if there is no risk of further victims. It's fine to "contaminate" a crime scene if you prevent further crime. This guy may well have saved a few people from having their account hijacked.
Google will have plenty of records if the police actually want to investigate. It's not like logging into a website somehow destroys old records. Walking into a murder scene and wiping it down is NOT analogous to adding some records to a database that can be restored and is likely to have been backed up.
In what legal system would this guy be considered an accessory when he clearly was a good Samaritan?
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
No doubt - That would have been a terrible analogy. And, I agree that since he immediately informed google of his actions, he did the right thing. But, as I tried to make clear, I didn't intend it to be an analogy - Just an answer to the question, "What twisted, warped world do you live in where it is unethical to stop a crime-in-progress?" Depending on the circumstances, illegal actions may be prosecuted even if they were undertaken in an effort to stop a crime in progress.
Still, although I can't fathom that anyone would be so blind as to charge him for what he did, logging into someone else's e-mail account, deleting all of their (albeit ill-gotten) e-mail, and changing their password may be against some law. I dunno - IANAL.
Also, your garbage analogy may raise more questions than you intended. If your neighbor's trash is waiting at the curb, going through it and retrieving mail may be perfectly legal. Grabbing the bag that the guy is stuffing mail into almost certainly is not. Again, IANAL.
He's getting rather old, but he's a good mouse.
Great choice of words.
As I read the comments attached to this article, I see that many slashdotters can't imagine why this debug code would be put into the software in the first place.
To those slashdotters: You people have no imagination.
Imagine you're a G-Archiver developer, and one of your customers calls you, saying "Your program doesn't work. It's saying something about an invalid user." In order to reproduce the problem, you ask the customer for his credentials. He tells you his username and password over the phone, and you try logging in yourself. It works fine.
After a while, you think the problem might be that the password being entered is different from the one you were given over the phone. Perhaps it has something to do with the customer's strange keyboard layout, or maybe the customer's keyboard has some flaky keys.
So what do you do? You give that one customer a special build of the software that emails you the username and password as entered.
Later, you accidentally check in the debug code for that special build. Oops.
the guy who logged in and deleted the accounts seems to have left off one important, article ending fact and that is whether the emails he found in the account had been opened or still remained unopened. Heck, would there also not be a last-login date also associated with that account? These two things should have been asked and mentioned or else this was designed to sensationalized how BAD Google's security problems are. After all, it is obvious this had nothing to do with Google's security but the article was designed to center on that. IMO
So though and interesting situation, I think this is more of a reason to use Open Source software since it is far far more likely to have been found/caught earlier. I will be checking my firefox extensions for open source licenses and source code.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Write a Thunderbird filter that matches all gmail messages and copies them to a local folder. Filtering seems to force the message to be retrieved.
Don't mess with The Phone Company. Piss them off and you'll be using two tin cans and a piece of string.
whether stupid or malicious may not matter. It appears that either way there is leakage of ID/access info to third parties. Since an exploit has essentially been divulged here [i.e. decompile a backup and see what id+password combos you find] alarm is appropriate. after all "pulling the software" does not remove every last copy from the reach of interested parties...you have heard of google cache? I tripped over a bug even more likely to be unintentional in my TurboTax online tax prep sessions this weekend: after cycling through the password reset process three times with no luck and a weird "this link was already used" message I scraped all the URL parameters off of the confirmation emails intuit sent me. Guess what? All but the final, successful exchange contained superfluous parameters for user id and authentication id. It looks for all the world like a failure to reset the buffer in the server that dishes the password reset emails...resulting in parameters from other users who had been sent their reset tokens just prior to mine tacked on the end of the url intended for me. [it was only a url with a single parameter set that finally worked properly]. I did nothing with them and they expire quickly so probably no damage done. But jeeze: does someone out there have my "authid=xxxxxxx"? [do you think intuit provides a "contact us 24/7 about security issues" link on their https pages? not one I could find]
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Thanks!
I call:
- ms word ms blurb
- access abscess
- excel hexedcell
- x box hexed box
- outlook LOOKOUUUTTT!!!!
- powerpoint powerpointless
But, I'd have to say my faves are abscess and front phage...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
First of all, ethics != legal. The good Samaritan here may or may not have put himself in legal jeopardy - but that has nothing to do with the ethics.
Second, Google warns you in their terms of use that your deleted emails may remain on their system for several months - so yes, they do back up.
Third, it isn't necessary for the account to still be active or full of email. The software can be demonstrated to send a message to a Gmail account containing usernames and passwords. Combined with Google's logs, this is enough to go after the perpetrator (who is known). That some idiot prosecutor might go after the wrong guy does not affect the ethics.
This guy did the right thing.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Zone alarm (and all other software firewalls) are pretty much useless for blocking outbound traffic. Zone alarm is software running on your machine. If you run another piece of software, there is nothing that stops that piece of software from modifying ZA. That modification can change ZA to allow traffic from application X without notifying the user. Quicktime player, for example, does this with most firewalls. What's more, ZA runs on top of the Windows network stack, but it is not part of that network stack. So, a well written piece of code can simply go around ZA and access the network stack directly.
This is not to say that software firewalls are useless. They are necessary to block incoming traffic since Windows has so many open services. However, blocking outbound traffic is essentially a marketing gimmick. If you want to do that, you need a hardware firewall running on another machine entirely, but then of course you no longer have the ability to tell which application is sending the request/packet.
You know how opponents of gun laws say that if you outlaw guns, only criminals will have them? Well, for software firewalls blocking outbound traffic, this is actually true. These types of firewalls only block processes that are behaving, and misbehaving applications can just modify or go around them. Any successes that you get are just because the piece of malware that you are dealing with is poorly written.
weirdest thing I ever saw: scientology advertising on slashdot.
Got your point - I could have phrased it better. Stopping a crime in progress that you've stumbled into, especially when there is no danger of any physical harm to anyone... it's hard to think of a scenario where that wouldn't be ethical.
:)
The mail thing is also a terrible analogy... most real-world things are when you try to apply them to computers. But I'd dispute that ethics has anything to do with legality. Even if it is legal to go through someone's trash looking for mail, it is not ethical. Swiping such a person's bag under such circumstances is similarly ethical, even if it is technically illegal.
But it's such a convoluted scenario that it doesn't really matter
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
This is misleading. They should have fully disclosed the problem if they want to re-gain anyone's trust. It wasn't that they "may" have been revealed; they as a matter of fact "WERE" revealed. An admission that their program LOGGED AND TRANSMITTED PASSWORDS TO THE PARENT COMPANY would also have been nice.
"Question with boldness even the existence of a god." - Thomas Jefferson
But you forgot Intranet Exploiter! Although at the shop we always called lookout! outlook excrement,due to how many times we had to deal with it sh*tting itself over the damned 2Gb .PST file bug.Real fun telling some business owner he has lost a couple dozen important emails because of a file he's never heard of getting too big.
ACs don't waste your time replying, your posts are never seen by me.
How difficult is to distinguish a 100% scam??
1. The source code of the program says about everything: The developer mails account details to him. What debugging?
How many messages do you have to receive before you understand that you should stop 'debugging' ???
2. Who really cares if they made an error after all?? They are still dangerous.
3. The company used an unlicensed version of a known mail library
A developer has uncovered the source code of the software. Take a look and then post messages:
http://developeronline.blogspot.com/2008/03/gmail-password-thefts-story.html/
That's all.
Comment removed based on user account deletion
Yes, that is a great point you make.
However, where there might not be imagination, there is common sense. Think about this: Why in the world would it be necessary to have the software phone home with the user's information if it could just dump it to a local log file?
If it turned out that the software was dumping the user's account information into a local text file, then the author's "oops forgot about that debug feature" excuse would have been believable. But to have it actively phone home with every user's account information? This clearly took more thought and effort to implement than simply outputting a text file. There's no reason he couldn't just use log files for debug purposes, because it's all-around quicker and easier from a programming point of view.
Other people will argue against you that the developer would have noticed the 1700+ emails in his inbox. I'll side with you by saying this: If he created a separate GMail account just for debugging purposes, then perhaps he would have checked it once or twice in the beginning and never checked back again, not realizing the stream of incoming messages. I'd be curious to know how many of them were marked as read when Dustin Brooks found his way in.
But yeah, ultimately, I'd say that all the signs lean very heavily toward active password harvesting.
/* No Comment */
I've written a lot of code in my time. I've never written a routine/method/function that saved user account names and passwords then emailed them to myself. Writing passwords to the local system is fine, but even that you have to do correctly (in a sufficiently encrypted form) and you must notify the user. I can't understand how he could possibly justify creating emails that transmit password information as simply a debugging accident. The debugging process probably shouldn't involve automatically creating emails. And if it does, it probably shouldn't include secure information. And if it does, it probably shouldn't include secure information from the user without notifying them.
I don't think this can be justified. You can't "accidentally" harvest account names and passwords. Bells go off in the head when you're writing code that says "create an email, send it to this address, and include the current user's username and password."
Has this guy John Terry never heard of compiling profiles, and a possibility of doing a '#define DEBUG' and testing if this is a debug scenario build? In C/C++ these facilities have been around for decades, and if MS thinks .NET applications are the future, I hope they have similiar functionality for .NET languages and or developing environments as well. Kind of childish of John Terry promising all this wonderful functionality yet lacking basic developer skills.
:)
For me it rather looks like he had a debug and release profile, and it was malicious intent. You have to really be an amateur to not use #ifdef DEBUG for cases like this, and if he knew how to API GMail service, he appears to be smart enough to not accidentally have forgotten a debug code in the source. As for the solution, and to all who argue whether we should likewise trust the likes of Mozilla's Thunderbird, Firefox etc, perhaps a logical step forward in innovation and an end to all this plain text password juggling would be a single OS-wide facility that will receive, and transport/delagate password and other sensitive information, as server that will expose it's API to client (software that accepts user password input). This way you won't have to speculate where does your password go after you type it in, a some form of manifest could lock software to letting only this OS-wide facility manage passwords on behalf of a user application that is of convenience to a user, and display a warning if the software violates it's security manifest by doing anything itself with decoded or plain-test input password.
The downside is that the facility will have to hold off attacks on itself, attacks that will try to compromise is, it being a trusted module, but we do trust a Linux kernel, why can't we trust a password delegation facility?
Granted both Linux and Windows have authentication facilities like this, but software DOES NOT have to use it, and user's do not know when their favourite software uses on or not. In Linux one has to review the source code (and do so for every MD5 signature change, to be sure nothing is compromised yet again), but users can't read source code, so the problem boils down to human availability, or to be more precise, availability of a developer per software version, who can assure you the software you use uses a generally trusted facility.
To sum up, we are still in stone age of information systems. It's amazing how much trust users learn to have to a piece of software they have never seen, how naive they must be to think anything they download and install from Internet is safe for their persona in one way or another. Is it perhaps that they trust their OS that much, they think it will protect them? It doesnt. And there is no reason to blame the users, the communication user-developer is really almost as bad as it was when computers were the size of a living room...Except everyone knows now what a 'blog' is, what is MySpace and Facebook, and what it means to be 'online'
Simple as that. And even with the source, that is just the first step.
Bitter and proud of it.
Turns out, I have actually oiled snakes. And I am not talking plumbing snakes.
I worked at a pet store that did some light animal care, and snakes were some of the animals we treated and kept. The oil was Linatone(tm). It helps snakes shed, and it is lightly anti-biotic and anti-microbial and anti-parasite. (it makes reptiles happy 8-).
So yes, snake oil for oiling snakes...
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
well, were those emails read or not?
if they were read, then he's known about this for a while.... if not, well, maybe we can trust him...
music - http://www.subatomicglue.com
Assuming his story is true, it was likely just a throwaway account he created for this purpose only.
Google could probably check when he read the mail last, if they really want to verify the story.
By "debug code" he's referring to the embedding of his username and password. He obviously intended to have it log in with the user's own username and password (since it already does it anyway) and send that info to his account silently from there, and then delete the new e-mail from the user's sent folder. Because the way he was doing it in the "debug code" was just dumb. I mean, he got his account wiped and the password changed! He was just asking for it.
Without a pasword, he would have to use SMTP, which would be obvious to a packet sniffer. ... whats that? He DOES use SMTP anyway!? When the user isn't even connecting to google?
With a password, he can use the existing encrypted IMAP session to upload to his own mailbox.
Well bugger me - there is no sane explanation. It ain't subtle.
That's why you use an open source client that is hopefully standards compliant. I archive my gmail accounts with Thunderbird Portable. The reason I used the portable and not the standard TB is that I am able to store the entire app and data on a large network drive and run it periodically from any of my computers.
You want fun, go home and buy a monkey!
No, gmail STMP does NOT need a password for sending to gmail accounts.
You only need to authenticate if it is relaying to other servers, for obvious reasons.
Of course, the allegedly dumb programmer might not have known that.
Or he knew it, but wanted plausible stupidity.
And when those emails are leaked, he can say somebody else read them.
Sorry, I don't buy that explanation, and neither would a court if someone decided to make work of it.
What happened there was a breach of any computer access related law you can think of, and "I was only trying to catch terrorists" (the current government getout clause) or "but it's a feature" (the Microsoft copout) don't apply either. He got caught, and it could well become a police matter.
But hey, thanks for proving the point of Open Source.
Insert
Though thankfully I only live in the "51st State", the UK.
How often do people need to be told this? Giving your password to someone else is a security breach! Even if the application is local, you cannot trust it unless you can see the source to check what connections it makes!
Asking people for their password to various internet services (most often Google, sometimes other social networking sites) in order to "import" address books, calendar data, blogs and other things has become a common occurrence in social web applications. This is a disturbing trend - it's like giving house keys to the garbage guys to save you the trouble of taking out the trash yourself.
It is phishing dressed up as a trustworthy transaction. People rail against MySpace, Facebook and co. all the time for being less than careful with the private data their users provide - but dozens of sites ask you to grant them authorization to impersonate you elsewhere for your convenience, and I've never seen an uproar.
Google and other sites should watch out for such risks and nip them in the bud by blocking the robotic logins from these servers, as well as educating their users about security.
Troll :)
Anyway, everyone knows that Canada is the 51st state...
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
...I took precautions. It's impractical to upload massive amounts on your own and I like slick little GUI's. I also recignized the potential for abuse in such a thing. So I just created a gmail account specifically for backing up data, no e-mails, no contacts. And encrypted all files before uploading them, then maintained a text file with names and md5 hashes in my main account. The worst that could happen was that the backups would be deleted, nothing more. A little caution goes a long way.