Slashdot Mirror

← Back to Stories (view on slashdot.org)

G-Archiver Harvesting Google Mail Passwords

Posted by kdawson on from the change-password-now dept.

Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."

1 of 462 comments (clear)

  1. Wha?!? by an.echte.trilingue · · Score: 5, Informative

    Rather, you're much better off running a strong firewall that's not the same piece of software or hardware at the boundary of your network which will pick up on nasty things I am quite interested in learning what kind of hard firewall you have that is capable of distinguishing between a packet sent over port 80 originating in, say, Internet Explorer and any other piece of software. I am also interested in knowing what software firewall you have that can block applications from rewriting its rules to allow themselves access.

    It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't...you can run a packet sniffer and keep an eye on what the software is sending across the network Um, IMHO, checking the source is way faster and takes way less skill than this easily subverted clusterf*ck that you are proposing. Besides, the very thing that makes a hardware firewall useless for cases like this also makes this approach unreliable.

    which I would say the vast majority if not 99.9999% of people aren't. While we are in the realm of imaginary statistics, I would say that about 100 times as many people are competent to examine the source of a program than to decompile a program and read the resulting nasty, uncommented, tangled pile of commands that results from that. That makes it about 100 times as likely that somebody will find a back door like this in OSS code, doesn't it?

    Oh, by the way, you realize that lots of people are paid to audit OSS code before they deploy it in their company, right? The ability to do this is actually a selling point for a lot of companies.

    (and unless the software has got a built-in ansible, that should be good enough for almost all applications.) What are you talking about?
    --
    weirdest thing I ever saw: scientology advertising on slashdot.