Stories
Slash Boxes
Comments
Google Search

News for nerds, stuff that matters

G-Archiver Harvesting Google Mail Passwords

Posted by kdawson on Tuesday March 11, @01:47PM
from the change-password-now dept.
Security Google
Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."

Related Stories

Firehose:G-Archiver Harvesting Google Mail Passwords by Thwomp (773873)
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

G-Archiver Harvesting Google Mail Passwords 25 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Keybindings Beta
Q W E
A S D
Loading ... Please wait.

  • This is why I backup my Gmail with G-Archiver (Score:5, Funny)

    by Anonymous Coward on Tuesday March 11, @01:47PM (#22719340)
    Oh, wait...

  • Debug, Sure (Score:5, Insightful)

    by Archangel Michael (180766) on Tuesday March 11, @01:48PM (#22719356) Journal
    "The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in [CC] the product."

    Right. And I have a bridge I'd like to sell you too.

    • Re:Debug, Sure (Score:5, Funny)

      by tristian_was_here (865394) on Tuesday March 11, @01:55PM (#22719482)
      I did something similar I once picked up the wrong keys yet when I went to take them back to the person I decided to let myself in and accidentally walked out with a new TV.

    • Re:Debug, Sure (Score:5, Funny)

      by Anonymous Coward on Tuesday March 11, @02:00PM (#22719580)
      Right. And I have a bridge I'd like to sell you too.

      Why do you feel the need to hurt the reputation and business of us legitimate bridge sellers?!?

  • That doesn't make sense. (Score:5, Insightful)

    by RandoX (828285) on Tuesday March 11, @01:50PM (#22719406)
    If you're debugging, you already have the account details. What possible reason could you have to email them to yourself?

  • Hmmm (Score:5, Funny)

    by Anonymous Coward on Tuesday March 11, @01:50PM (#22719410)

    he deleted the emails
    But did he make a backup first?

  • DMCA (Score:5, Insightful)

    by yohaas (228469) on Tuesday March 11, @01:51PM (#22719424)
    If this was a big company, they would have denied it and gone after him under the DMCA. At least the admitted to something and pulled to product.

  • Even the courts aren't this daft (Score:5, Insightful)

    by MikeRT (947531) on Tuesday March 11, @01:51PM (#22719426) Homepage
    You don't have to work in IT to know that there is no reason for G-Archiver to send the password to anyone but Google. This guy deserves to be prosecuted under anti-hacking statutes.

  • Nice move, but illegal? (Score:5, Insightful)

    by RandoX (828285) on Tuesday March 11, @01:52PM (#22719446)
    Good intentions and all, but I'm sure Mr. Brooks just opened himself up to "hacking" charges.

    • Re:Nice move, but illegal? (Score:5, Insightful)

      by San-LC (1104027) on Tuesday March 11, @02:03PM (#22719652)
      Possibly by some ridiculous interpretation of the law, Mr. Books was "hacking." However, he purchased the rights to use G-Archiver, and he did not recompile the program in a different way and label it his own. He used information that the program (to which he has the rights to use, unless otherwise stated in some bullsheet EULA) used, found out that this program acted like a Trojan virus and submitted private information to an individual's e-mail account, and subsequently removed his information and disallowed any new information to be read.

      Granted, he probably shouldn't have deleted everything and changed the password (morally: yes, legally: no), so it's likely he may face charges because of this. That's our legal system, folks.

  • Caught (Score:5, Funny)

    by Itninja (937614) on Tuesday March 11, @01:53PM (#22719450) Homepage
    Looks like someone got caught with their pants down in the cookie jar. That's not nearly as hot as it sounds.

  • Never ascribe to malice (Score:5, Insightful)

    by Pope (17780) on Tuesday March 11, @01:56PM (#22719502) Homepage
    what can be explained by incompetance?

    Although in this case, that's some serious incompetance going on!

  • Don't give out passwords (Score:5, Insightful)

    by Todd Knarr (15451) on Tuesday March 11, @01:57PM (#22719528) Homepage

    And this, children, is why you should never ever give the password to your account to someone else. Not even someone who claims to want to do something for you. Once you've given it to them, you have no control over what they do with it.

  • Just wondering... (Score:5, Interesting)

    by Doodhwala (13342) on Tuesday March 11, @01:59PM (#22719576) Homepage

    So why did the binary program also have the password for the gmail account? One would assume that the email address would have been enough. After all, sending someone email doesn't require their password.

    • Re:Just wondering... (Score:5, Informative)

      by karmaflux (148909) on Tuesday March 11, @02:21PM (#22719962) Homepage
      GMail requires you to authenticate with their SMTP servers to send mail. His choices were to include the account password, implement his own SMTP server and build it into the program, or use an open SMTP server. That last will often get your mail dropped as spam. The second one would have been better-secured, but the guy was obviously dumb enough to include a phishing function in a backup program, so it's obvious why he went with option number one.

  • Doesn't look malicious to me (Score:5, Insightful)

    by Pogie (107471) on Tuesday March 11, @02:11PM (#22719828)

    Maybe I'm getting old, but this seems like a pretty clear case of "oh crap, I'm an idiot", rather than "mwuahahah, my plan for global domination proceeds apace!". According to the posting on codinghorror, the guy who found the issue (Dustin Brooks) found that the creator, John Terry, of the G-Archiver software had left his own email information in the code. Yes, the G-archiver forwarded a record of the account information of everyone who used the app to that mailbox, but if you look at the screenshot, none of those emails has been flagged as read by gmail (but maybe that's an artifact of a POP connection?).

    Either way, this just smacks to me of a novice developer doing something incredibly dumb, rather than incredibly malicious. If he actually wanted to just collect other people's account information, why leave his own in the source code? He could have just as easily forwarded the information to an anonymized email account, or simply an account for which the login information was not present in source.

    Just my opinion, I reserve the right to be wrong.

  • Deleted the emails (Score:5, Insightful)

    by gorre (519164) on Tuesday March 11, @02:13PM (#22719852) Homepage
    From the Information Week article:

    Brooks said he then deleted the presumably stolen account information, changed the password on the account, and notified Google.
    [...]
    Google's statement continues. "We are investigating this incident, the underlying activities of which violate Gmail Program Policies. We have suspended the suspect account, and are in the process of notifying the owners of those accounts whose passwords may have been compromised. It's unfortunate that fraudsters continue to use email for these purposes. We have phishing detection capabilities built into Gmail, so we were able to act quickly to limit the impact of this particular attack."
    I have never read Google's Privacy Policy but am slightly concerned that they appear to be able to access emails after their deletion.

    • Re:Trust me, trust me not. (Score:5, Insightful)

      by Z00L00K (682162) on Tuesday March 11, @02:02PM (#22719642)
      I don't believe that for a moment.

      This seems to be a clear case of privacy invasion and unauthorized access to private data. And I think that this should have been brought to the attention of the police for further investigation.

      In this case the guilty will have time to cover his tracks and hide.

      Try this approach the next time you see something as grave as this. The worst thing that can happen if you report it is that the case gets dismissed.

Check for more | Reply

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2008 SourceForge, Inc.