Slashdot Mirror

← Back to Stories (view on slashdot.org)

G-Archiver Harvesting Google Mail Passwords

Posted by kdawson on from the change-password-now dept.

Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."

10 of 462 comments (clear)

  1. Re:Just wondering... by karmaflux · · Score: 4, Informative

    GMail requires you to authenticate with their SMTP servers to send mail. His choices were to include the account password, implement his own SMTP server and build it into the program, or use an open SMTP server. That last will often get your mail dropped as spam. The second one would have been better-secured, but the guy was obviously dumb enough to include a phishing function in a backup program, so it's obvious why he went with option number one.

    --

    REM Old programmers don't die. They just GOSUB without RETURN.

  2. Re:Even the courts aren't this daft by Z00L00K · · Score: 4, Informative
    I actually found a few links that should be useful in cases like this: Of course you may have your own national version of IT incident reporting.

    So if we really want to avoid having the police hunt us for petty crimes of downloading files - give them something real. :-)

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  3. Re:Gmail Backups? by Arccot · · Score: 4, Informative

    You have 6.5 gig of space on redundant remote servers. What are you backing up? Perhaps I do not understand what this application does and who needs it... Gmail has been known to shut down down accounts without notice or any chance of reversal. It's prudent to have a copy of your own data at all times, no matter how secure you think someone else is storing it.
  4. Re:what was that dude's name by Hatta · · Score: 4, Informative

    That was Ken Thompson, coinventor of UNIX.

    --
    Give me Classic Slashdot or give me death!
  5. Wha?!? by an.echte.trilingue · · Score: 5, Informative

    Rather, you're much better off running a strong firewall that's not the same piece of software or hardware at the boundary of your network which will pick up on nasty things I am quite interested in learning what kind of hard firewall you have that is capable of distinguishing between a packet sent over port 80 originating in, say, Internet Explorer and any other piece of software. I am also interested in knowing what software firewall you have that can block applications from rewriting its rules to allow themselves access.

    It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't...you can run a packet sniffer and keep an eye on what the software is sending across the network Um, IMHO, checking the source is way faster and takes way less skill than this easily subverted clusterf*ck that you are proposing. Besides, the very thing that makes a hardware firewall useless for cases like this also makes this approach unreliable.

    which I would say the vast majority if not 99.9999% of people aren't. While we are in the realm of imaginary statistics, I would say that about 100 times as many people are competent to examine the source of a program than to decompile a program and read the resulting nasty, uncommented, tangled pile of commands that results from that. That makes it about 100 times as likely that somebody will find a back door like this in OSS code, doesn't it?

    Oh, by the way, you realize that lots of people are paid to audit OSS code before they deploy it in their company, right? The ability to do this is actually a selling point for a lot of companies.

    (and unless the software has got a built-in ansible, that should be good enough for almost all applications.) What are you talking about?
    --
    weirdest thing I ever saw: scientology advertising on slashdot.
  6. Re:This is why I backup my Gmail with G-Archiver by Schraegstrichpunkt · · Score: 4, Informative

    It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't.

    So? Somebody you trust can do it for you. Or, you can trust that there are enough people looking at the code that they'll find any big problems, and that news of these problems will find its way to you. With non-free software, the number of people looking at the code is much smaller.

    --
    http://outcampaign.org/
  7. Snow Job by feed_me_cereal · · Score: 4, Informative
    From the G-Archiver website:

    What happened with G-Archiver?

    It has come to our attention that a flaw in the coding of G-Archiver may have revealed customer's Gmail account usernames and passwords.

    It is urgent that you remove the current version of G-Archiver from your computer, and change your Gmail account password right away.

    What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version.

    We sincerely apologize and assure you that this coding mishap was in no way intentional.

    We'll be releasing a new version that corrects the flaw in version 1.0. The new version will be available very soon.


    This is misleading. They should have fully disclosed the problem if they want to re-gain anyone's trust. It wasn't that they "may" have been revealed; they as a matter of fact "WERE" revealed. An admission that their program LOGGED AND TRANSMITTED PASSWORDS TO THE PARENT COMPANY would also have been nice.
    --
    "Question with boldness even the existence of a god." - Thomas Jefferson
  8. Re:That REALLY doesn't make sense by Fnord666 · · Score: 3, Informative

    Why on h^Hearth do you need the password of this account to be written in the source code?
    Because Gmail's SMTP server uses username/password to authenticate the user before accepting outgoing mail. He was not only emailing info to his gmail account, he was using gmail's smtp server as the outbound connection. Given the purpose of the program, the author assumed that the user had a gmail account and used gmail's smtp server, so the program would not have any firewall issues connecting outbound for its nefarious purposes.
    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  9. Re:This is why I backup my Gmail with G-Archiver by toriver · · Score: 4, Informative

    man strings

    Can't remember if strings is part of Microsoft's "Unix tools for Windows" though, but Cygwin32 will do the trick.

  10. Re:The /. crowd has no imagination by cbart387 · · Score: 3, Informative

    Easily could be a test email address that he uses for only that purpose. I'll give him the benefit of the doubt on this one. That doesn't mean I'll use the product however. You have two cases. Either (a) the coder is malicious -or- (b) the coder is sloppy. If I'm paying for a program (g-archiver's site says it's 29.95) then I expect the code to be of good quality ... and having debug code in does not count as good code in my opinion.

    Also, I'm kinda interested in his market. Thunderbird has an option to download/sync to a local machine. I'm curious why you'd want to use yet another tool when a decent email client has the same basic feature.

    --
    Lack of planning on your part does not constitute an emergency on mine.