G-Archiver Harvesting Google Mail Passwords

Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."

Re:Just wondering...

[karmaflux]

GMail requires you to authenticate with their SMTP servers to send mail. His choices were to include the account password, implement his own SMTP server and build it into the program, or use an open SMTP server. That last will often get your mail dropped as spam. The second one would have been better-secured, but the guy was obviously dumb enough to include a phishing function in a backup program, so it's obvious why he went with option number one.

Re:Even the courts aren't this daft

[Z00L00K]

I actually found a few links that should be useful in cases like this:

• FBI NATIONAL COMPUTER CRIME SQUAD (May be outdated)
• FBI Tampa Cyber Crime squad (you may have your own local version of this)
• Internet Crime Complaint Center (IC3)
• CERT
• Forum for Incident Response and Security Teams
• Swedish IT incident Center (sitic at pts dot se)

Of course you may have your own national version of IT incident reporting.

So if we really want to avoid having the police hunt us for petty crimes of downloading files - give them something real. :-)

Re:Gmail Backups?

[Arccot]

You have 6.5 gig of space on redundant remote servers. What are you backing up? Perhaps I do not understand what this application does and who needs it... Gmail has been known to shut down down accounts without notice or any chance of reversal. It's prudent to have a copy of your own data at all times, no matter how secure you think someone else is storing it.

Re:what was that dude's name

[Hatta]

That was Ken Thompson, coinventor of UNIX.

Wha?!?

[an.echte.trilingue]

Rather, you're much better off running a strong firewall that's not the same piece of software or hardware at the boundary of your network which will pick up on nasty things I am quite interested in learning what kind of hard firewall you have that is capable of distinguishing between a packet sent over port 80 originating in, say, Internet Explorer and any other piece of software. I am also interested in knowing what software firewall you have that can block applications from rewriting its rules to allow themselves access.

It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't...you can run a packet sniffer and keep an eye on what the software is sending across the network Um, IMHO, checking the source is way faster and takes way less skill than this easily subverted clusterf*ck that you are proposing. Besides, the very thing that makes a hardware firewall useless for cases like this also makes this approach unreliable.

which I would say the vast majority if not 99.9999% of people aren't. While we are in the realm of imaginary statistics, I would say that about 100 times as many people are competent to examine the source of a program than to decompile a program and read the resulting nasty, uncommented, tangled pile of commands that results from that. That makes it about 100 times as likely that somebody will find a back door like this in OSS code, doesn't it?

Oh, by the way, you realize that lots of people are paid to audit OSS code before they deploy it in their company, right? The ability to do this is actually a selling point for a lot of companies.

(and unless the software has got a built-in ansible, that should be good enough for almost all applications.) What are you talking about?

Re:This is why I backup my Gmail with G-Archiver

[Schraegstrichpunkt]

It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't.

So? Somebody you trust can do it for you. Or, you can trust that there are enough people looking at the code that they'll find any big problems, and that news of these problems will find its way to you. With non-free software, the number of people looking at the code is much smaller.

Snow Job

[feed_me_cereal]

From the G-Archiver website:

What happened with G-Archiver?

It has come to our attention that a flaw in the coding of G-Archiver may have revealed customer's Gmail account usernames and passwords.

It is urgent that you remove the current version of G-Archiver from your computer, and change your Gmail account password right away.

What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version.

We sincerely apologize and assure you that this coding mishap was in no way intentional.

We'll be releasing a new version that corrects the flaw in version 1.0. The new version will be available very soon.

This is misleading. They should have fully disclosed the problem if they want to re-gain anyone's trust. It wasn't that they "may" have been revealed; they as a matter of fact "WERE" revealed. An admission that their program LOGGED AND TRANSMITTED PASSWORDS TO THE PARENT COMPANY would also have been nice.

Re:This is why I backup my Gmail with G-Archiver

[toriver]

man strings

Can't remember if strings is part of Microsoft's "Unix tools for Windows" though, but Cygwin32 will do the trick.