Slashdot Mirror

← Back to Stories (view on slashdot.org)

G-Archiver Harvesting Google Mail Passwords

Posted by kdawson on from the change-password-now dept.

Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."

21 of 462 comments (clear)

  1. Almost Willing To Believe by _bug_ · · Score: 2, Informative

    I'm almost willing to believe the G-Archive excuse that its debug code. From the screenshots posted online of the inbox (before it was deleted) I only see e-mails marked as unread. If the entire inbox is filled with unread e-mails then I'm willing to believe it was a throw-away e-mail account used for testing/debugging. Also this kind of "bug" seems really blatant and certainly headed for an easy discovery. I'd expect a more obfuscated means of transmitting the username and password, were one so inclined to bug the software.

    However 1,777 seems a bit small for "popular software" if this represents every install since the bugged software was released. Furthermore, how does e-mailing a password to a random account help in debugging the software?

    I'm almost willing to believe in human stupidity as the reason this happened, but not quite.

  2. Re:Gmail Backups? by fyrie · · Score: 2, Informative

    It's useful in case your account get stolen, or if it ever gets deleted by accident (it's happened to gmail users before).

  3. Re:Just wondering... by karmaflux · · Score: 4, Informative

    GMail requires you to authenticate with their SMTP servers to send mail. His choices were to include the account password, implement his own SMTP server and build it into the program, or use an open SMTP server. That last will often get your mail dropped as spam. The second one would have been better-secured, but the guy was obviously dumb enough to include a phishing function in a backup program, so it's obvious why he went with option number one.

    --

    REM Old programmers don't die. They just GOSUB without RETURN.

  4. Re:Even the courts aren't this daft by Z00L00K · · Score: 4, Informative
    I actually found a few links that should be useful in cases like this: Of course you may have your own national version of IT incident reporting.

    So if we really want to avoid having the police hunt us for petty crimes of downloading files - give them something real. :-)

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  5. Re:Gmail Backups? by Arccot · · Score: 4, Informative

    You have 6.5 gig of space on redundant remote servers. What are you backing up? Perhaps I do not understand what this application does and who needs it... Gmail has been known to shut down down accounts without notice or any chance of reversal. It's prudent to have a copy of your own data at all times, no matter how secure you think someone else is storing it.
  6. Re:what was that dude's name by Hatta · · Score: 4, Informative

    That was Ken Thompson, coinventor of UNIX.

    --
    Give me Classic Slashdot or give me death!
  7. Re:Doesn't look malicious to me by faloi · · Score: 2, Informative

    I'm on the fence. On one hand, sending them to your own account seems pretty stupid. One the other hand, if the software has been out there for a while I would think I would notice suddenly getting a bunch of usernames and passwords in my inbox. Perhaps it was a real "oh crap" moment and he figured that he could sneak the fix into a patch before someone else noticed what was going on. It doesn't look like the emails had to be read, incidentally, it looks like the username and password were on the subject line.

    --
    "It is a miracle that curiosity survives formal education." -Albert Einstein
  8. Re:One thing strikes me by LordSnooty · · Score: 2, Informative

    Have you read the summary? If you used the G-Archiver program then your details will have been leaked. If you just use Gmail then there is no concern.

  9. His name is Dennis Ritchie by krog · · Score: 2, Informative

    He did it so he could more easily troubleshoot support calls on his new "Unix" operating system.

    --
    Cretin - a powerful and flexible CD reencoder
  10. Wha?!? by an.echte.trilingue · · Score: 5, Informative

    Rather, you're much better off running a strong firewall that's not the same piece of software or hardware at the boundary of your network which will pick up on nasty things I am quite interested in learning what kind of hard firewall you have that is capable of distinguishing between a packet sent over port 80 originating in, say, Internet Explorer and any other piece of software. I am also interested in knowing what software firewall you have that can block applications from rewriting its rules to allow themselves access.

    It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't...you can run a packet sniffer and keep an eye on what the software is sending across the network Um, IMHO, checking the source is way faster and takes way less skill than this easily subverted clusterf*ck that you are proposing. Besides, the very thing that makes a hardware firewall useless for cases like this also makes this approach unreliable.

    which I would say the vast majority if not 99.9999% of people aren't. While we are in the realm of imaginary statistics, I would say that about 100 times as many people are competent to examine the source of a program than to decompile a program and read the resulting nasty, uncommented, tangled pile of commands that results from that. That makes it about 100 times as likely that somebody will find a back door like this in OSS code, doesn't it?

    Oh, by the way, you realize that lots of people are paid to audit OSS code before they deploy it in their company, right? The ability to do this is actually a selling point for a lot of companies.

    (and unless the software has got a built-in ansible, that should be good enough for almost all applications.) What are you talking about?
    --
    weirdest thing I ever saw: scientology advertising on slashdot.
    1. Re:Wha?!? by asdfghjklqwertyuiop · · Score: 2, Informative

      It may not be easy but people do this sort of thing all the time to remove DRM from video games.

      And if the firewall software checks to see if it has been modified then alter the firewall software so that it does not perform such a check. Hopefully you see where this is going...

    2. Re:Wha?!? by raddan · · Score: 2, Informative

      Little Snitch for Mac OS X lets you write per-application firewall rules. It's pretty sweet. Not that this will help you if your favorite application is secretly sending your diary to your mom.

  11. Re:Just wondering... by ZOMFF · · Score: 2, Informative

    This door would more than likely leave a copy of the message in the users 'sent' folder. The chances of someone detecting that are far more likely than the hoops this particular user jumped through to decompile the code.

    Just another thing that points to the application author's malicious intent. By utilizing his own credentials he was able to authenticate to Gmail as himself and shoot himself an email with no trace in the end-user's sent box.

    --
    Launch every sig.
  12. Re:This is why I backup my Gmail with G-Archiver by Schraegstrichpunkt · · Score: 4, Informative

    It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't.

    So? Somebody you trust can do it for you. Or, you can trust that there are enough people looking at the code that they'll find any big problems, and that news of these problems will find its way to you. With non-free software, the number of people looking at the code is much smaller.

    --
    http://outcampaign.org/
  13. Re:Doesn't look malicious to me by dmitrybrant · · Score: 2, Informative

    Stop me if I'm wrong, but Google previews the first line of the message, right next to the Subject header (as is evident in the screen shot). So there's no need to even "read" the message.

  14. Snow Job by feed_me_cereal · · Score: 4, Informative
    From the G-Archiver website:

    What happened with G-Archiver?

    It has come to our attention that a flaw in the coding of G-Archiver may have revealed customer's Gmail account usernames and passwords.

    It is urgent that you remove the current version of G-Archiver from your computer, and change your Gmail account password right away.

    What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version.

    We sincerely apologize and assure you that this coding mishap was in no way intentional.

    We'll be releasing a new version that corrects the flaw in version 1.0. The new version will be available very soon.


    This is misleading. They should have fully disclosed the problem if they want to re-gain anyone's trust. It wasn't that they "may" have been revealed; they as a matter of fact "WERE" revealed. An admission that their program LOGGED AND TRANSMITTED PASSWORDS TO THE PARENT COMPANY would also have been nice.
    --
    "Question with boldness even the existence of a god." - Thomas Jefferson
  15. Re:That REALLY doesn't make sense by Fnord666 · · Score: 3, Informative

    Why on h^Hearth do you need the password of this account to be written in the source code?
    Because Gmail's SMTP server uses username/password to authenticate the user before accepting outgoing mail. He was not only emailing info to his gmail account, he was using gmail's smtp server as the outbound connection. Given the purpose of the program, the author assumed that the user had a gmail account and used gmail's smtp server, so the program would not have any firewall issues connecting outbound for its nefarious purposes.
    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  16. Re:This is why I backup my Gmail with G-Archiver by toriver · · Score: 4, Informative

    man strings

    Can't remember if strings is part of Microsoft's "Unix tools for Windows" though, but Cygwin32 will do the trick.

  17. Re:This is why I backup my Gmail with G-Archiver by Mongoose+Disciple · · Score: 2, Informative

    I was assuming the source does not match binaries case, and for a one-man project like G-Archiver.

    How trivial is that to verify if I control both? Depending on the compiler/options you could get some different executables...

  18. Re:The /. crowd has no imagination by cbart387 · · Score: 3, Informative

    Easily could be a test email address that he uses for only that purpose. I'll give him the benefit of the doubt on this one. That doesn't mean I'll use the product however. You have two cases. Either (a) the coder is malicious -or- (b) the coder is sloppy. If I'm paying for a program (g-archiver's site says it's 29.95) then I expect the code to be of good quality ... and having debug code in does not count as good code in my opinion.

    Also, I'm kinda interested in his market. Thunderbird has an option to download/sync to a local machine. I'm curious why you'd want to use yet another tool when a decent email client has the same basic feature.

    --
    Lack of planning on your part does not constitute an emergency on mine.
  19. Re:This is why I backup my Gmail with G-Archiver by Nullav · · Score: 2, Informative

    Yeah, logging; logging the usernames and passwords of every single user. Perfectly legitimate!

    If something is collecting my login information (and thus access to every conversation made using that address), I expect a damn good reason and I expect it before someone else exposes it and potentially gains access to my account and countless others. For that matter, I expect it before the money leaves my hands.

    --
    I just read Slashdot for the articles.