Slashdot Mirror

← Back to Stories (view on slashdot.org)

G-Archiver Harvesting Google Mail Passwords

Posted by kdawson on from the change-password-now dept.

Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."

51 of 462 comments (clear)

  1. This is why I backup my Gmail with G-Archiver by Anonymous Coward · · Score: 5, Funny

    Oh, wait...

    1. Re:This is why I backup my Gmail with G-Archiver by afidel · · Score: 4, Insightful

      Or simply use IMAP to archive your gmail account...

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    2. Re:This is why I backup my Gmail with G-Archiver by MBGMorden · · Score: 4, Insightful

      You still have to trust the IMAP client to not be logging your passwords. It all comes down to whether or not you trust where the software came from. Luckily for open source projects there's an easy audit trail (so long as you compile from that source - a premade binary distributed with source could still contain malicious code simply not included in the provided source). For closed source software you're stuck trying arcane trickery like this guy did in order to find out when a program is spying on you.

      --
      "People who think they know everything are very annoying to those of us who do."-Mark Twain
    3. Re:This is why I backup my Gmail with G-Archiver by Hatta · · Score: 4, Insightful

      For closed source software you're stuck trying arcane trickery like this guy did in order to find out when a program is spying on you.

      The upshot of this case is that the app in question was written with .Net which is fairly easy to decompile. If he had chosen C++, there's a good chance no one would have bothered to pore over the assembly and find this out.

      --
      Give me Classic Slashdot or give me death!
    4. Re:This is why I backup my Gmail with G-Archiver by bberens · · Score: 5, Insightful

      Not really JUST as easily. You fully expect the G-Archiver to be transmitting encrypted (ssl) data to google. A few extra packets aren't going to raise any red flags.

      --
      Check out my lame java blog at www.javachopshop.com
    5. Re:This is why I backup my Gmail with G-Archiver by pipatron · · Score: 5, Insightful

      running a strong firewall

      Wouldn't help a bit; the good and the bad parts of the software used the same port to the same server in the same way.

      run a packet sniffer

      Wouldn't help a bit; the good and the bad parts of the software used the same SSL channel, you won't get into that with a normal sniffer.

      --
      c++; /* this makes c bigger but returns the old value */
    6. Re:This is why I backup my Gmail with G-Archiver by Schraegstrichpunkt · · Score: 4, Informative

      It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't.

      So? Somebody you trust can do it for you. Or, you can trust that there are enough people looking at the code that they'll find any big problems, and that news of these problems will find its way to you. With non-free software, the number of people looking at the code is much smaller.

      --
      http://outcampaign.org/
    7. Re:This is why I backup my Gmail with G-Archiver by infonography · · Score: 5, Funny

      Well he wrote it .Net, isn't that enough evidence of malicious intent?

      --
      Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
    8. Re:This is why I backup my Gmail with G-Archiver by Sleepy · · Score: 4, Funny

      >For closed source software you're stuck trying arcane trickery like this guy did in order to find out when a program is spying on you.

      Arcane trickery to see what the code is doing?
      You've obviously never edited someone else's Perl...

    9. Re:This is why I backup my Gmail with G-Archiver by toriver · · Score: 4, Informative

      man strings

      Can't remember if strings is part of Microsoft's "Unix tools for Windows" though, but Cygwin32 will do the trick.

    10. Re:This is why I backup my Gmail with G-Archiver by TheoMurpse · · Score: 5, Insightful

      What I want to know is, if he used this for debugging purposes and left it in by accident, why didn't he ever see thousands of Gmail passwords showing up in his inbox and realize the problem?

    11. Re:This is why I backup my Gmail with G-Archiver by Rabbi+T.+White · · Score: 5, Insightful

      From looking at the pictures on the blog of the guy who discovered this, there were over 1000 unread emails - all the ones on the initial page of the inbox were usernames and passwords, quite clearly unread. If we're giving him the benefit of the doubt, tt is likely that this was just a throw away account used for testing... or else he probably would've changed his own password, no?

      --
      Every cloud has a silver lining, but, then again, so does every cigarette packet.
    12. Re:This is why I backup my Gmail with G-Archiver by LrdDimwit · · Score: 4, Insightful

      How do you know those are his own login credentials, and not a red herring? That's the funny thing about trust ... once it's gone, it's a whole other ballgame. Here we have a company providing a nigh-useless "service" with broken English in their FAQ (weak circumstantial evidence only, but still evidence) and that employs coding practices either underhanded or dubious.

      Does it really matter which it is? There's no compelling reason to ever use their product, and they've just demonstrated that they can't be trusted. Is it really any better if it's due to ineptness rather than maliciousness?

  2. Debug, Sure by Archangel+Michael · · Score: 5, Insightful

    "The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in [CC] the product."

    Right. And I have a bridge I'd like to sell you too.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    1. Re:Debug, Sure by tristian_was_here · · Score: 5, Funny

      I did something similar I once picked up the wrong keys yet when I went to take them back to the person I decided to let myself in and accidentally walked out with a new TV.

    2. Re:Debug, Sure by Anonymous Coward · · Score: 5, Funny

      Right. And I have a bridge I'd like to sell you too.

      Why do you feel the need to hurt the reputation and business of us legitimate bridge sellers?!?

    3. Re:Debug, Sure by gEvil+(beta) · · Score: 4, Funny

      oiling snakes I assume?

      And who among us can honestly say they've never oiled their snake?

      --
      This guy's the limit!
    4. Re:Debug, Sure by bcat24 · · Score: 4, Funny

      And who among us can honestly say they've never oiled their snake?
      Girls?
    5. Re:Debug, Sure by pipatron · · Score: 4, Funny

      And who among us can honestly say they've never oiled their snake? Girls?

      He said us, that clearly excludes girls.

      --
      c++; /* this makes c bigger but returns the old value */
    6. Re:Debug, Sure by DancesWithBlowTorch · · Score: 4, Funny

      And who among us can honestly say they've never oiled their snake?

      Girls?
      Who?
  3. That doesn't make sense. by RandoX · · Score: 5, Insightful

    If you're debugging, you already have the account details. What possible reason could you have to email them to yourself?

    1. Re:That doesn't make sense. by sholden · · Score: 4, Insightful

      Doesn't make any sense. Why would you go through the process of sending an email with the information when you could just print it to a file, or throw it in a dialog box.

      A developer wanting to collect people's usernames and passwords and realising that since the program talks to gmail already doing so over gmail would make it much less likely to be noticed by people monitoring network connections for "phone home" behaviour, seems the most likely explanation. Of course there mightn't be any malicious intent, just a "cool, look at all the accounts I collected" thing - like those people who get a warez copy of every piece of software ever released without ever actually using any of them...

  4. Hmmm by Anonymous Coward · · Score: 5, Funny

    he deleted the emails But did he make a backup first?
    1. Re:Hmmm by jeepee · · Score: 5, Insightful

      he deleted the emails
      But did he make a backup first?

      He tried but it caused an infinite loop.
      --
      Overuse of the Pumping Lemma causes blindness
  5. DMCA by yohaas · · Score: 5, Insightful

    If this was a big company, they would have denied it and gone after him under the DMCA. At least the admitted to something and pulled to product.

  6. Even the courts aren't this daft by MikeRT · · Score: 4, Insightful

    You don't have to work in IT to know that there is no reason for G-Archiver to send the password to anyone but Google. This guy deserves to be prosecuted under anti-hacking statutes.

    1. Re:Even the courts aren't this daft by WPIDalamar · · Score: 5, Funny

      It only did send them to Gmail :)

    2. Re:Even the courts aren't this daft by Zordak · · Score: 5, Funny

      This guy deserves to be prosecuted under anti-hacking statutes. Exactly. I mean, he was using a debugger! Doesn't he know that violates the DMCA? No doubt he'll be hearing from the G-Archiver lawyers AND the DoJ soon. It's time to show this clown that, in America, we don't put up with these kinds of shenanigans. And somebody call the copyright lobby. This is exactly the story they've been looking for to justify increasing the penalties for violating copyright to capital punishment.
      --

      Today's Sesame Street was brought to you by the number e.
    3. Re:Even the courts aren't this daft by Z00L00K · · Score: 4, Informative
      I actually found a few links that should be useful in cases like this: Of course you may have your own national version of IT incident reporting.

      So if we really want to avoid having the police hunt us for petty crimes of downloading files - give them something real. :-)

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  7. Nice move, but illegal? by RandoX · · Score: 4, Insightful

    Good intentions and all, but I'm sure Mr. Brooks just opened himself up to "hacking" charges.

    1. Re:Nice move, but illegal? by San-LC · · Score: 5, Insightful

      Possibly by some ridiculous interpretation of the law, Mr. Books was "hacking." However, he purchased the rights to use G-Archiver, and he did not recompile the program in a different way and label it his own. He used information that the program (to which he has the rights to use, unless otherwise stated in some bullsheet EULA) used, found out that this program acted like a Trojan virus and submitted private information to an individual's e-mail account, and subsequently removed his information and disallowed any new information to be read.

      Granted, he probably shouldn't have deleted everything and changed the password (morally: yes, legally: no), so it's likely he may face charges because of this. That's our legal system, folks.

  8. Caught by Itninja · · Score: 4, Funny

    Looks like someone got caught with their pants down in the cookie jar. That's not nearly as hot as it sounds.

    --
    I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
  9. Never ascribe to malice by Pope · · Score: 5, Insightful

    what can be explained by incompetance?

    Although in this case, that's some serious incompetance going on!

    --
    It doesn't mean much now, it's built for the future.
  10. Don't give out passwords by Todd+Knarr · · Score: 4, Insightful

    And this, children, is why you should never ever give the password to your account to someone else. Not even someone who claims to want to do something for you. Once you've given it to them, you have no control over what they do with it.

    1. Re:Don't give out passwords by gnick · · Score: 4, Insightful

      And this, children, is why you should never ever give the password to your account to someone else. Not even someone who claims to want to do something for you. This is a little bit different than the standard "give your password out" case. I give my e-mail password to Thunderbird. I give Firefox a few of my passwords. Because those applications need those passwords to authenticate with remote servers so that they can "do something for me." For folks who were using it, the same goes with G-archiver. In some applications, you just have to decide whether the service being rendered is worth you taking the risk that the application may be malevolent. (Or putting a lot of effort into being reasonably sure that it's kept in check.)
      --
      He's getting rather old, but he's a good mouse.
  11. Just wondering... by Doodhwala · · Score: 5, Interesting


    So why did the binary program also have the password for the gmail account? One would assume that the email address would have been enough. After all, sending someone email doesn't require their password.

    1. Re:Just wondering... by karmaflux · · Score: 4, Informative

      GMail requires you to authenticate with their SMTP servers to send mail. His choices were to include the account password, implement his own SMTP server and build it into the program, or use an open SMTP server. That last will often get your mail dropped as spam. The second one would have been better-secured, but the guy was obviously dumb enough to include a phishing function in a backup program, so it's obvious why he went with option number one.

      --

      REM Old programmers don't die. They just GOSUB without RETURN.

  12. Re:Trust me, trust me not. by Z00L00K · · Score: 4, Insightful
    I don't believe that for a moment.

    This seems to be a clear case of privacy invasion and unauthorized access to private data. And I think that this should have been brought to the attention of the police for further investigation.

    In this case the guilty will have time to cover his tracks and hide.

    Try this approach the next time you see something as grave as this. The worst thing that can happen if you report it is that the case gets dismissed.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  13. Re:A-ha! by Roofus · · Score: 5, Funny

    Yeah, I was logged into your account and noticed that too....very strange!

  14. Doesn't look malicious to me by Pogie · · Score: 5, Insightful

    Maybe I'm getting old, but this seems like a pretty clear case of "oh crap, I'm an idiot", rather than "mwuahahah, my plan for global domination proceeds apace!". According to the posting on codinghorror, the guy who found the issue (Dustin Brooks) found that the creator, John Terry, of the G-Archiver software had left his own email information in the code. Yes, the G-archiver forwarded a record of the account information of everyone who used the app to that mailbox, but if you look at the screenshot, none of those emails has been flagged as read by gmail (but maybe that's an artifact of a POP connection?).

    Either way, this just smacks to me of a novice developer doing something incredibly dumb, rather than incredibly malicious. If he actually wanted to just collect other people's account information, why leave his own in the source code? He could have just as easily forwarded the information to an anonymized email account, or simply an account for which the login information was not present in source.

    Just my opinion, I reserve the right to be wrong.
  15. Deleted the emails by gorre · · Score: 4, Insightful
    From the Information Week article:

    Brooks said he then deleted the presumably stolen account information, changed the password on the account, and notified Google.
    [...]
    Google's statement continues. "We are investigating this incident, the underlying activities of which violate Gmail Program Policies. We have suspended the suspect account, and are in the process of notifying the owners of those accounts whose passwords may have been compromised. It's unfortunate that fraudsters continue to use email for these purposes. We have phishing detection capabilities built into Gmail, so we were able to act quickly to limit the impact of this particular attack."     I have never read Google's Privacy Policy but am slightly concerned that they appear to be able to access emails after their deletion.
    --
    "Madness is something rare in individuals - but in groups, parties, peoples, ages it is the rule." -- Nietzsche
    1. Re:Deleted the emails by L0rdJedi · · Score: 4, Insightful

      Why? Because they happen to keep backups of email, like everyone else on the planet?

  16. Re:Debug, Sure... Around 1999 I found this out by davidsyes · · Score: 4, Interesting

    by using a protocol analyzer to recover my OWN login and password for my side of the company's intranet. Turned out that the web software we used (can't remember the name, but it was not front phage, but it was indeed popular at the time) was harvesting or retaining ALL USER ACCOUNTS names and passwords. I became scared shitless because I was not sure how IT would feel. But I was former IT in the company and felt obligated to warn them that the vendor was conducting shitty coding processes and put not only OUR company at risk but other companies as well. If they had any diagnostic or call-home code in their web site building software, then potentially a corrupt employee in their company could gain some limited or full access to many companies' intranets if they gained physical access to the building. And, we all know about piggy-backing, where thieves waltzed in behind other employees, then proceeded to lift laptops, purses, keys, wallets, documents, whatever they could steal.

    DAMN, I wish I could recall the name. I may ..

    Here we go... I'm PRETTY damned sure it was NetObjects Fusion. Just googled "Year 1999 web building applications intranet web" and they were at the top of the list... I preferred it over front phage, but...

    And, now that I Google "Year 1999 protocol analyzer sniffer packet" it seems to refresh my memory that I am PRETTY sure Sniffer Basic was the tool I used.

    Of course, after that I never used any such tool on the LAN. But, being formerly in the IT department, and knowing what to look out for to help the company probably kept me out of trouble.

    --
    Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
  17. Re:Gmail Backups? by Arccot · · Score: 4, Informative

    You have 6.5 gig of space on redundant remote servers. What are you backing up? Perhaps I do not understand what this application does and who needs it... Gmail has been known to shut down down accounts without notice or any chance of reversal. It's prudent to have a copy of your own data at all times, no matter how secure you think someone else is storing it.
  18. Re:what was that dude's name by Hatta · · Score: 4, Informative

    That was Ken Thompson, coinventor of UNIX.

    --
    Give me Classic Slashdot or give me death!
  19. Re:what was that dude's name by adamofgreyskull · · Score: 4, Interesting
    Ken Thomson?
    The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user.

    Such blatant code would not go undetected for long. Even the most casual perusal of the source of the C compiler would raise suspicions.

    (...)

    The final step is represented in Figure 7. This simply adds a second Trojan horse to the one that already exists. The second pattern is aimed at the C compiler. The replacement code is a Stage I self-reproducing program that inserts both Trojan horses into the compiler. This requires a learning phase as in the Stage II example. First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere.
  20. Your e-mails haven't ever been actually deleted by sirwired · · Score: 4, Insightful

    When you delete e-mails (even if you hit "Delete Forever"), GMail does not actually delete your e-mails right away. All that happens is you can't see them any more. Google has been rather forthright about this from day 1 of the Beta; it raised a big furor when GMail was first released.

    From the GMail Privacy Policy: (which is blessedly short, and in English)
    "You may organize or delete your messages through your Gmail account or terminate your account through the Google Account section of Gmail settings. Such deletions or terminations will take immediate effect in your account view. Residual copies of deleted messages and accounts may take up to 60 days to be deleted from our active servers and may remain in our offline backup systems."

    SirWired

  21. Wha?!? by an.echte.trilingue · · Score: 5, Informative

    Rather, you're much better off running a strong firewall that's not the same piece of software or hardware at the boundary of your network which will pick up on nasty things I am quite interested in learning what kind of hard firewall you have that is capable of distinguishing between a packet sent over port 80 originating in, say, Internet Explorer and any other piece of software. I am also interested in knowing what software firewall you have that can block applications from rewriting its rules to allow themselves access.

    It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't...you can run a packet sniffer and keep an eye on what the software is sending across the network Um, IMHO, checking the source is way faster and takes way less skill than this easily subverted clusterf*ck that you are proposing. Besides, the very thing that makes a hardware firewall useless for cases like this also makes this approach unreliable.

    which I would say the vast majority if not 99.9999% of people aren't. While we are in the realm of imaginary statistics, I would say that about 100 times as many people are competent to examine the source of a program than to decompile a program and read the resulting nasty, uncommented, tangled pile of commands that results from that. That makes it about 100 times as likely that somebody will find a back door like this in OSS code, doesn't it?

    Oh, by the way, you realize that lots of people are paid to audit OSS code before they deploy it in their company, right? The ability to do this is actually a selling point for a lot of companies.

    (and unless the software has got a built-in ansible, that should be good enough for almost all applications.) What are you talking about?
    --
    weirdest thing I ever saw: scientology advertising on slashdot.
  22. Re:The /. crowd has no imagination by Tim+Browse · · Score: 4, Insightful

    Later, you accidentally check in the debug code for that special build. Oops.

    And you don't notice the 1,777 emails piling up in your inbox until someone investigates your code and calls you out on it.

    I agree with the others - you interested in buying a bridge?

  23. Snow Job by feed_me_cereal · · Score: 4, Informative
    From the G-Archiver website:

    What happened with G-Archiver?

    It has come to our attention that a flaw in the coding of G-Archiver may have revealed customer's Gmail account usernames and passwords.

    It is urgent that you remove the current version of G-Archiver from your computer, and change your Gmail account password right away.

    What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version.

    We sincerely apologize and assure you that this coding mishap was in no way intentional.

    We'll be releasing a new version that corrects the flaw in version 1.0. The new version will be available very soon.


    This is misleading. They should have fully disclosed the problem if they want to re-gain anyone's trust. It wasn't that they "may" have been revealed; they as a matter of fact "WERE" revealed. An admission that their program LOGGED AND TRANSMITTED PASSWORDS TO THE PARENT COMPANY would also have been nice.
    --
    "Question with boldness even the existence of a god." - Thomas Jefferson
  24. Not to be droll by IBitOBear · · Score: 4, Interesting

    Turns out, I have actually oiled snakes. And I am not talking plumbing snakes.

    I worked at a pet store that did some light animal care, and snakes were some of the animals we treated and kept. The oil was Linatone(tm). It helps snakes shed, and it is lightly anti-biotic and anti-microbial and anti-parasite. (it makes reptiles happy 8-).

    So yes, snake oil for oiling snakes...

    --
    Innocent people shouldn't be forced to pay for inferior software development.
    --"Code Complete" Microsoft Press