Slashdot Mirror
G-Archiver Harvesting Google Mail Passwords
Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."
"The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in [CC] the product."
Right. And I have a bridge I'd like to sell you too.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
If you're debugging, you already have the account details. What possible reason could you have to email them to yourself?
If this was a big company, they would have denied it and gone after him under the DMCA. At least the admitted to something and pulled to product.
You don't have to work in IT to know that there is no reason for G-Archiver to send the password to anyone but Google. This guy deserves to be prosecuted under anti-hacking statutes.
Good intentions and all, but I'm sure Mr. Brooks just opened himself up to "hacking" charges.
Or simply use IMAP to archive your gmail account...
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
what can be explained by incompetance?
Although in this case, that's some serious incompetance going on!
It doesn't mean much now, it's built for the future.
And this, children, is why you should never ever give the password to your account to someone else. Not even someone who claims to want to do something for you. Once you've given it to them, you have no control over what they do with it.
This seems to be a clear case of privacy invasion and unauthorized access to private data. And I think that this should have been brought to the attention of the police for further investigation.
In this case the guilty will have time to cover his tracks and hide.
Try this approach the next time you see something as grave as this. The worst thing that can happen if you report it is that the case gets dismissed.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
You still have to trust the IMAP client to not be logging your passwords. It all comes down to whether or not you trust where the software came from. Luckily for open source projects there's an easy audit trail (so long as you compile from that source - a premade binary distributed with source could still contain malicious code simply not included in the provided source). For closed source software you're stuck trying arcane trickery like this guy did in order to find out when a program is spying on you.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
Maybe I'm getting old, but this seems like a pretty clear case of "oh crap, I'm an idiot", rather than "mwuahahah, my plan for global domination proceeds apace!". According to the posting on codinghorror, the guy who found the issue (Dustin Brooks) found that the creator, John Terry, of the G-Archiver software had left his own email information in the code. Yes, the G-archiver forwarded a record of the account information of everyone who used the app to that mailbox, but if you look at the screenshot, none of those emails has been flagged as read by gmail (but maybe that's an artifact of a POP connection?).
Either way, this just smacks to me of a novice developer doing something incredibly dumb, rather than incredibly malicious. If he actually wanted to just collect other people's account information, why leave his own in the source code? He could have just as easily forwarded the information to an anonymized email account, or simply an account for which the login information was not present in source.
Just my opinion, I reserve the right to be wrong.[...]
Google's statement continues. "We are investigating this incident, the underlying activities of which violate Gmail Program Policies. We have suspended the suspect account, and are in the process of notifying the owners of those accounts whose passwords may have been compromised. It's unfortunate that fraudsters continue to use email for these purposes. We have phishing detection capabilities built into Gmail, so we were able to act quickly to limit the impact of this particular attack." I have never read Google's Privacy Policy but am slightly concerned that they appear to be able to access emails after their deletion.
"Madness is something rare in individuals - but in groups, parties, peoples, ages it is the rule." -- Nietzsche
For closed source software you're stuck trying arcane trickery like this guy did in order to find out when a program is spying on you.
.Net which is fairly easy to decompile. If he had chosen C++, there's a good chance no one would have bothered to pore over the assembly and find this out.
The upshot of this case is that the app in question was written with
Give me Classic Slashdot or give me death!
He tried but it caused an infinite loop.
Overuse of the Pumping Lemma causes blindness
Sure, but someone could have checked the net activity just as easily.
-mkb
Not really JUST as easily. You fully expect the G-Archiver to be transmitting encrypted (ssl) data to google. A few extra packets aren't going to raise any red flags.
Check out my lame java blog at www.javachopshop.com
When you delete e-mails (even if you hit "Delete Forever"), GMail does not actually delete your e-mails right away. All that happens is you can't see them any more. Google has been rather forthright about this from day 1 of the Beta; it raised a big furor when GMail was first released.
From the GMail Privacy Policy: (which is blessedly short, and in English)
"You may organize or delete your messages through your Gmail account or terminate your account through the Google Account section of Gmail settings. Such deletions or terminations will take immediate effect in your account view. Residual copies of deleted messages and accounts may take up to 60 days to be deleted from our active servers and may remain in our offline backup systems."
SirWired
Wouldn't help a bit; the good and the bad parts of the software used the same port to the same server in the same way.
run a packet snifferWouldn't help a bit; the good and the bad parts of the software used the same SSL channel, you won't get into that with a normal sniffer.
c++;
And did you build a bootstrap C compiler from scratch?
http://www.informit.com/articles/article.aspx?p=102181&seqNum=4
As I read the comments attached to this article, I see that many slashdotters can't imagine why this debug code would be put into the software in the first place.
To those slashdotters: You people have no imagination.
Imagine you're a G-Archiver developer, and one of your customers calls you, saying "Your program doesn't work. It's saying something about an invalid user." In order to reproduce the problem, you ask the customer for his credentials. He tells you his username and password over the phone, and you try logging in yourself. It works fine.
After a while, you think the problem might be that the password being entered is different from the one you were given over the phone. Perhaps it has something to do with the customer's strange keyboard layout, or maybe the customer's keyboard has some flaky keys.
So what do you do? You give that one customer a special build of the software that emails you the username and password as entered.
Later, you accidentally check in the debug code for that special build. Oops.
What I want to know is, if he used this for debugging purposes and left it in by accident, why didn't he ever see thousands of Gmail passwords showing up in his inbox and realize the problem?
This is an interesting point. I wonder if the login history of the account shows that he hasn't bothered to log in for quite a while - perhaps it is an account specifically for this purpose rather than his usual account. That might give credence to his claim of it being debug code and having forgotten about it.
I suppose he could have had the passwords filtered in some way and not noticed the 'folder' (or whatever gmail has) filling up.
Max.
From looking at the pictures on the blog of the guy who discovered this, there were over 1000 unread emails - all the ones on the initial page of the inbox were usernames and passwords, quite clearly unread. If we're giving him the benefit of the doubt, tt is likely that this was just a throw away account used for testing... or else he probably would've changed his own password, no?
Every cloud has a silver lining, but, then again, so does every cigarette packet.
How do you know those are his own login credentials, and not a red herring? That's the funny thing about trust ... once it's gone, it's a whole other ballgame. Here we have a company providing a nigh-useless "service" with broken English in their FAQ (weak circumstantial evidence only, but still evidence) and that employs coding practices either underhanded or dubious.
Does it really matter which it is? There's no compelling reason to ever use their product, and they've just demonstrated that they can't be trusted. Is it really any better if it's due to ineptness rather than maliciousness?
I see this particular misconception going around on /. all the time nowadays, and I'm rather tired of it. The claim is always something along the lines of: "there's no security advantage in using open source software unless you examine the source and compile everything yourself".
:) The same is true of every other OS on the planet. (yes yes, even Gentoo, and even if you hypothetically audited every application yourself before compiling it. Hopefully I don't need to explain this, many other posters have already linked to 'trusting trust'. Suffice to say that you have to trust someone at some point, even if it's the supplier of your C compiler, your processor microcode, etc).
That holds true if you run around downloading random binaries from random websites (ie. the way your typical Windows user acquires all their software). But hardly anybody who has used an OS with a proper package manager for more than 10 minutes actually does this.
I get all my software from my distribution. Currently Ubuntu, for example. Yes, their package maintainers build my binaries, I don't build 'em myself. But it isn't unreasonable for me to trust Ubuntu. They supply my OS, after all, so if I can't even trust them then I'm already up the creek
Now, Ubuntu are presumably building from the publically released source code for each application (ie. the source code supplied by the original application author), the same as everyone else. So in the open source world, all the binaries floating around out there (at least from the people you trust!) DO match the available source code. And we don't all need to audit it - it only takes one person (maybe working at a company that pays them to audit open source programs, as other posters have suggested) to discover something nefarious, and we'd all drop it like a hot potato.
That isn't to say that it's impossible to sneak back doors into open source programs, or that package maintainers are all 100% trustworthy (they're only human. but so far they have an exceptional track record). But using an open source program supplied by your distribution is a damn sight safer than downloading and running some binary from Joe Random's obscure website (or company, for that matter).
Of course, there are still occasions where you need some program that isn't in the repositories, but those occasions seem to be becoming more and more rare these days. When this occurs I do actually tend to compile it myself (./configure; make; make install. really tricky eh?), but I can't remember the last time I needed to install something like this. 98% of what I need is in the repositories, and I'd wager 100% of what your average man-on-the-street needs.
--Gareth