Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Businesses Google The Internet

G-Archiver Harvesting Google Mail Passwords 462

Posted by kdawson
from the change-password-now dept.
Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."
This discussion has been archived. No new comments can be posted.

G-Archiver Harvesting Google Mail Passwords

Comments Filter:
  • by Anonymous Coward on Tuesday March 11, 2008 @12:47PM (#22719340)
    Oh, wait...
    • I've always thought those tools looked shady. Come on people, amazon s3 is not that expensive. Pony up.
      • by afidel (530433) on Tuesday March 11, 2008 @12:54PM (#22719474)
        Or simply use IMAP to archive your gmail account...
        • by MBGMorden (803437) on Tuesday March 11, 2008 @01:08PM (#22719768)
          You still have to trust the IMAP client to not be logging your passwords. It all comes down to whether or not you trust where the software came from. Luckily for open source projects there's an easy audit trail (so long as you compile from that source - a premade binary distributed with source could still contain malicious code simply not included in the provided source). For closed source software you're stuck trying arcane trickery like this guy did in order to find out when a program is spying on you.
          • by Hatta (162192) on Tuesday March 11, 2008 @01:20PM (#22719950) Journal
            For closed source software you're stuck trying arcane trickery like this guy did in order to find out when a program is spying on you.

            The upshot of this case is that the app in question was written with .Net which is fairly easy to decompile [aisto.com]. If he had chosen C++, there's a good chance no one would have bothered to pore over the assembly and find this out.
          • Re: (Score:3, Insightful)

            by Spokehedz (599285)
            Umm... Gmail lets you use IMAP from their own servers. So, it would be your own client. On your own computer.

            I'm failing to see how this is insecure.
          • by Sleepy (4551) on Tuesday March 11, 2008 @03:04PM (#22721380) Homepage
            >For closed source software you're stuck trying arcane trickery like this guy did in order to find out when a program is spying on you.

            Arcane trickery to see what the code is doing?
            You've obviously never edited someone else's Perl...
  • Debug, Sure (Score:5, Insightful)

    by Archangel Michael (180766) on Tuesday March 11, 2008 @12:48PM (#22719356) Journal
    "The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in [CC] the product."

    Right. And I have a bridge I'd like to sell you too.
    • by tristian_was_here (865394) on Tuesday March 11, 2008 @12:55PM (#22719482)
      I did something similar I once picked up the wrong keys yet when I went to take them back to the person I decided to let myself in and accidentally walked out with a new TV.
      • Re: (Score:2, Interesting)

        by OptimusPaul (940627)
        I actually did something like that accidentally. I enabled debug logging on a server and later noticed that it was logging usernames and passwords for all users on the system. It wasn't my code that was logging the names and it took me a week to find where it was being done and disable it.
        • by davidsyes (765062) * on Tuesday March 11, 2008 @01:22PM (#22720004) Homepage Journal
          by using a protocol analyzer to recover my OWN login and password for my side of the company's intranet. Turned out that the web software we used (can't remember the name, but it was not front phage, but it was indeed popular at the time) was harvesting or retaining ALL USER ACCOUNTS names and passwords. I became scared shitless because I was not sure how IT would feel. But I was former IT in the company and felt obligated to warn them that the vendor was conducting shitty coding processes and put not only OUR company at risk but other companies as well. If they had any diagnostic or call-home code in their web site building software, then potentially a corrupt employee in their company could gain some limited or full access to many companies' intranets if they gained physical access to the building. And, we all know about piggy-backing, where thieves waltzed in behind other employees, then proceeded to lift laptops, purses, keys, wallets, documents, whatever they could steal.

          DAMN, I wish I could recall the name. I may ..

          Here we go... I'm PRETTY damned sure it was NetObjects Fusion. Just googled "Year 1999 web building applications intranet web" and they were at the top of the list... I preferred it over front phage, but...

          And, now that I Google "Year 1999 protocol analyzer sniffer packet" it seems to refresh my memory that I am PRETTY sure Sniffer Basic was the tool I used.

          Of course, after that I never used any such tool on the LAN. But, being formerly in the IT department, and knowing what to look out for to help the company probably kept me out of trouble.
    • by Anonymous Coward on Tuesday March 11, 2008 @01:00PM (#22719580)
      Right. And I have a bridge I'd like to sell you too.

      Why do you feel the need to hurt the reputation and business of us legitimate bridge sellers?!?
    • by Dwonis (52652) on Tuesday March 11, 2008 @02:57PM (#22721290)

      As I read the comments attached to this article, I see that many slashdotters can't imagine why this debug code would be put into the software in the first place.

      To those slashdotters: You people have no imagination.

      Imagine you're a G-Archiver developer, and one of your customers calls you, saying "Your program doesn't work. It's saying something about an invalid user." In order to reproduce the problem, you ask the customer for his credentials. He tells you his username and password over the phone, and you try logging in yourself. It works fine.

      After a while, you think the problem might be that the password being entered is different from the one you were given over the phone. Perhaps it has something to do with the customer's strange keyboard layout, or maybe the customer's keyboard has some flaky keys.

      So what do you do? You give that one customer a special build of the software that emails you the username and password as entered.

      Later, you accidentally check in the debug code for that special build. Oops.

      • by Tim Browse (9263) on Tuesday March 11, 2008 @03:18PM (#22721536)

        Later, you accidentally check in the debug code for that special build. Oops.

        And you don't notice the 1,777 emails piling up in your inbox until someone investigates your code and calls you out on it.

        I agree with the others - you interested in buying a bridge?

        • Re: (Score:3, Insightful)

          by jopsen (885607)
          If there was 1,700 email it was probably a dummy account... If the developer wanted the mails, then why would he hardcode the password to the email account in his program, when he just as easily could have send the emails to the email account without logging into it, this would have been safer from package sniffers... That said... I agree that this is just yet another reason NOT to used closesource software...
        • Re: (Score:3, Informative)

          by cbart387 (1192883)
          Easily could be a test email address that he uses for only that purpose. I'll give him the benefit of the doubt on this one. That doesn't mean I'll use the product however. You have two cases. Either (a) the coder is malicious -or- (b) the coder is sloppy. If I'm paying for a program (g-archiver's site says it's 29.95) then I expect the code to be of good quality ... and having debug code in does not count as good code in my opinion.

          Also, I'm kinda interested in his market. Thunderbird has an option t
  • A-ha! (Score:4, Interesting)

    by ccguy (1116865) * on Tuesday March 11, 2008 @12:49PM (#22719388) Homepage
    Maybe _this_ is why I'm getting more spam in my gmail account lately?
    If it isn't, surely someone had a boner after reading the article and is coding as we speak...
  • by RandoX (828285) on Tuesday March 11, 2008 @12:50PM (#22719406)
    If you're debugging, you already have the account details. What possible reason could you have to email them to yourself?
  • Hmmm (Score:5, Funny)

    by Anonymous Coward on Tuesday March 11, 2008 @12:50PM (#22719410)

    he deleted the emails
    But did he make a backup first?
  • Trust me, trust me not, trust me, trust me not.

    Oh damn, there goes my password.

    Do you believe the developer? What debug code needs to send an email containing user account information?

    • by Z00L00K (682162) on Tuesday March 11, 2008 @01:02PM (#22719642) Homepage
      I don't believe that for a moment.

      This seems to be a clear case of privacy invasion and unauthorized access to private data. And I think that this should have been brought to the attention of the police for further investigation.

      In this case the guilty will have time to cover his tracks and hide.

      Try this approach the next time you see something as grave as this. The worst thing that can happen if you report it is that the case gets dismissed.

  • DMCA (Score:5, Insightful)

    by yohaas (228469) on Tuesday March 11, 2008 @12:51PM (#22719424)
    If this was a big company, they would have denied it and gone after him under the DMCA. At least the admitted to something and pulled to product.
  • by MikeRT (947531) on Tuesday March 11, 2008 @12:51PM (#22719426) Homepage
    You don't have to work in IT to know that there is no reason for G-Archiver to send the password to anyone but Google. This guy deserves to be prosecuted under anti-hacking statutes.
  • by RandoX (828285) on Tuesday March 11, 2008 @12:52PM (#22719446)
    Good intentions and all, but I'm sure Mr. Brooks just opened himself up to "hacking" charges.
    • by San-LC (1104027) on Tuesday March 11, 2008 @01:03PM (#22719652)
      Possibly by some ridiculous interpretation of the law, Mr. Books was "hacking." However, he purchased the rights to use G-Archiver, and he did not recompile the program in a different way and label it his own. He used information that the program (to which he has the rights to use, unless otherwise stated in some bullsheet EULA) used, found out that this program acted like a Trojan virus and submitted private information to an individual's e-mail account, and subsequently removed his information and disallowed any new information to be read.

      Granted, he probably shouldn't have deleted everything and changed the password (morally: yes, legally: no), so it's likely he may face charges because of this. That's our legal system, folks.
  • Caught (Score:5, Funny)

    by Itninja (937614) on Tuesday March 11, 2008 @12:53PM (#22719450) Homepage
    Looks like someone got caught with their pants down in the cookie jar. That's not nearly as hot as it sounds.
  • ...and if you email usernames and passwords to
    yourself -- like many folks do -- man, you are
    looking to get punished like this. This is
    especially true if you use public terminals.

    (I know, I know. Not the same thing. Still...)
  • Gmail Backups? (Score:3, Interesting)

    by techpawn (969834) on Tuesday March 11, 2008 @12:55PM (#22719484) Journal
    You have 6.5 gig of space on redundant remote servers. What are you backing up? Perhaps I do not understand what this application does and who needs it...
    • Re: (Score:2, Informative)

      by fyrie (604735)
      It's useful in case your account get stolen, or if it ever gets deleted by accident (it's happened to gmail users before).
      • Re: (Score:3, Insightful)

        by Tony Hoyle (11698)
        Of course using this software virtually guarantees that your account *will* be stolen, because the author 'accidentally' kept a record of your username/password 'for backup purposes'.
    • Re:Gmail Backups? (Score:4, Informative)

      by Arccot (1115809) on Tuesday March 11, 2008 @01:23PM (#22720010)

      You have 6.5 gig of space on redundant remote servers. What are you backing up? Perhaps I do not understand what this application does and who needs it...
      Gmail has been known to shut down down accounts without notice or any chance of reversal. It's prudent to have a copy of your own data at all times, no matter how secure you think someone else is storing it.
    • Re: (Score:3, Insightful)

      by hetfield (129762)
      You have 6.5 gig of space on redundant remote servers. What are you backing up? Perhaps I do not understand what this application does and who needs it...

      Redundancy is never a replacement for backups.

      http://slashdot.org/article.pl?sid=08/01/25/1535226 [slashdot.org]
  • by Pope (17780) on Tuesday March 11, 2008 @12:56PM (#22719502)
    what can be explained by incompetance?

    Although in this case, that's some serious incompetance going on!
    • > "Never ascribe to malice what can be explained by incompetence"

      It could be incompetence in this case ... but that saying holds little wisdom, in my opinion.

      There are plenty of competent, malicious criminals out there. In fact, some of them are called Politicians.

  • by Todd Knarr (15451) on Tuesday March 11, 2008 @12:57PM (#22719528) Homepage

    And this, children, is why you should never ever give the password to your account to someone else. Not even someone who claims to want to do something for you. Once you've given it to them, you have no control over what they do with it.

    • by gnick (1211984) on Tuesday March 11, 2008 @01:36PM (#22720252) Homepage

      And this, children, is why you should never ever give the password to your account to someone else. Not even someone who claims to want to do something for you.
      This is a little bit different than the standard "give your password out" case. I give my e-mail password to Thunderbird. I give Firefox a few of my passwords. Because those applications need those passwords to authenticate with remote servers so that they can "do something for me." For folks who were using it, the same goes with G-archiver. In some applications, you just have to decide whether the service being rendered is worth you taking the risk that the application may be malevolent. (Or putting a lot of effort into being reasonably sure that it's kept in check.)
    • Re: (Score:3, Insightful)

      by gEvil (beta) (945888)
      And this, children, is why you should never ever give the password to your account to someone else. Not even someone who claims to want to do something for you. Once you've given it to them, you have no control over what they do with it.

      I was looking at [finally] creating a facebook account the other day. On the account creation page, they have some fields where you supply your webmail address and the password to your webmail account, and it'll automatically look through your address book and find your f
  • by _bug_ (112702)
    I'm almost willing to believe the G-Archive excuse that its debug code. From the screenshots posted online of the inbox (before it was deleted) I only see e-mails marked as unread. If the entire inbox is filled with unread e-mails then I'm willing to believe it was a throw-away e-mail account used for testing/debugging. Also this kind of "bug" seems really blatant and certainly headed for an easy discovery. I'd expect a more obfuscated means of transmitting the username and password, were one so inclined to
  • Suppose you want to harvest all users' emails by simply mailing them to your own account. Why on h^Hearth do you need the password of this account to be written in the source code?
    • by Fnord666 (889225) on Tuesday March 11, 2008 @03:25PM (#22721640) Journal

      Why on h^Hearth do you need the password of this account to be written in the source code?
      Because Gmail's SMTP server uses username/password to authenticate the user before accepting outgoing mail. He was not only emailing info to his gmail account, he was using gmail's smtp server as the outbound connection. Given the purpose of the program, the author assumed that the user had a gmail account and used gmail's smtp server, so the program would not have any firewall issues connecting outbound for its nefarious purposes.
  • Just wondering... (Score:5, Interesting)

    by Doodhwala (13342) on Tuesday March 11, 2008 @12:59PM (#22719576) Homepage

    So why did the binary program also have the password for the gmail account? One would assume that the email address would have been enough. After all, sending someone email doesn't require their password.
    • by Shados (741919)
      To do a lookup to see if the email was received. Common stuff when debugging email sending software.
    • Re:Just wondering... (Score:5, Informative)

      by karmaflux (148909) on Tuesday March 11, 2008 @01:21PM (#22719962)
      GMail requires you to authenticate with their SMTP servers to send mail. His choices were to include the account password, implement his own SMTP server and build it into the program, or use an open SMTP server. That last will often get your mail dropped as spam. The second one would have been better-secured, but the guy was obviously dumb enough to include a phishing function in a backup program, so it's obvious why he went with option number one.
  • 1700+ email accounts isn't much, considering the volume of gmail. And then those accounts would have to be able to be linked to something, if one were to try to exploit it.

    I'm really surprised it's sub-2000. Goes to show not many people use it.

    Since the password of the email account was changed, it couldn't upload any further data either.
  • how about that guy who modified the login program to give him a backdoor hard-coded password and username? then he modified the compiler to recognize when it was compiling login and automatically insert the code, and deleted that code from login so it wouldn't be apparent in a code review. then he modified the compiler to recognize when it was compiling itself, and insert the code to modify both itself and login, and then deleted that code from the compiler as well. now there ain't no code to do that in the
    • by Hatta (162192) on Tuesday March 11, 2008 @01:24PM (#22720038) Journal
      That [bell-labs.com] was Ken Thompson [wikipedia.org], coinventor of UNIX.
    • by adamofgreyskull (640712) on Tuesday March 11, 2008 @01:40PM (#22720306)
      Ken Thomson [bell-labs.com]?
      The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user.

      Such blatant code would not go undetected for long. Even the most casual perusal of the source of the C compiler would raise suspicions.

      (...)

      The final step is represented in Figure 7. This simply adds a second Trojan horse to the one that already exists. The second pattern is aimed at the C compiler. The replacement code is a Stage I self-reproducing program that inserts both Trojan horses into the compiler. This requires a learning phase as in the Stage II example. First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere.
    • by krog (25663)
      He did it so he could more easily troubleshoot support calls on his new "Unix" operating system.
  • Backup???? (Score:3, Insightful)

    by spectrokid (660550) on Tuesday March 11, 2008 @01:03PM (#22719654) Homepage
    Isn't the whole freakin point of GMail that you don't have to backup?
  • by Pogie (107471) on Tuesday March 11, 2008 @01:11PM (#22719828)

    Maybe I'm getting old, but this seems like a pretty clear case of "oh crap, I'm an idiot", rather than "mwuahahah, my plan for global domination proceeds apace!". According to the posting on codinghorror, the guy who found the issue (Dustin Brooks) found that the creator, John Terry, of the G-Archiver software had left his own email information in the code. Yes, the G-archiver forwarded a record of the account information of everyone who used the app to that mailbox, but if you look at the screenshot, none of those emails has been flagged as read by gmail (but maybe that's an artifact of a POP connection?).

    Either way, this just smacks to me of a novice developer doing something incredibly dumb, rather than incredibly malicious. If he actually wanted to just collect other people's account information, why leave his own in the source code? He could have just as easily forwarded the information to an anonymized email account, or simply an account for which the login information was not present in source.

    Just my opinion, I reserve the right to be wrong.
    • by AdamTrace (255409) on Tuesday March 11, 2008 @01:19PM (#22719942)
      I agree. There's a lot of high and mighty programmers here who are calling this guy "incompetent", but I'd be shocked if we haven't all accidentally sent debug code to production at some point or another.

      It's either an honest mistake, or a REALLY poor hack attempt. Unless I've given further information, I'm inclined to think it was an honest mistake.

      Adamn
    • Re: (Score:3, Informative)

      by faloi (738831)
      I'm on the fence. On one hand, sending them to your own account seems pretty stupid. One the other hand, if the software has been out there for a while I would think I would notice suddenly getting a bunch of usernames and passwords in my inbox. Perhaps it was a real "oh crap" moment and he figured that he could sneak the fix into a patch before someone else noticed what was going on. It doesn't look like the emails had to be read, incidentally, it looks like the username and password were on the subjec
  • Deleted the emails (Score:5, Insightful)

    by gorre (519164) on Tuesday March 11, 2008 @01:13PM (#22719852) Homepage
    From the Information Week article:

    Brooks said he then deleted the presumably stolen account information, changed the password on the account, and notified Google.
    [...]
    Google's statement continues. "We are investigating this incident, the underlying activities of which violate Gmail Program Policies. We have suspended the suspect account, and are in the process of notifying the owners of those accounts whose passwords may have been compromised. It's unfortunate that fraudsters continue to use email for these purposes. We have phishing detection capabilities built into Gmail, so we were able to act quickly to limit the impact of this particular attack."
    I have never read Google's Privacy Policy but am slightly concerned that they appear to be able to access emails after their deletion.
    • by L0rdJedi (65690) on Tuesday March 11, 2008 @01:25PM (#22720060)
      Why? Because they happen to keep backups of email, like everyone else on the planet?
    • by sirwired (27582) on Tuesday March 11, 2008 @01:42PM (#22720324)
      When you delete e-mails (even if you hit "Delete Forever"), GMail does not actually delete your e-mails right away. All that happens is you can't see them any more. Google has been rather forthright about this from day 1 of the Beta; it raised a big furor when GMail was first released.

      From the GMail Privacy Policy: (which is blessedly short, and in English)
      "You may organize or delete your messages through your Gmail account or terminate your account through the Google Account section of Gmail settings. Such deletions or terminations will take immediate effect in your account view. Residual copies of deleted messages and accounts may take up to 60 days to be deleted from our active servers and may remain in our offline backup systems."

      SirWired
    • Re: (Score:3, Insightful)

      by BitZtream (692029)
      Considering when gmail started out there was no 'delete' functionality, it should not be suprising that the messages are never deleted.

      Why are suprised that when you let someone other than yourself hold onto your data that they can access it even after you can't? Do you know what backups are?

      For google, there are a number of reasons why they would want to retain the data, not that I think they should if they tell you its deleted. The amount of example emails they can run new code at to test various perfor
  • by plopez (54068) on Tuesday March 11, 2008 @01:54PM (#22720564) Journal
    What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version.

    Just a few suggestions:
    1) Use source control and know how to use it. Know how to tag releases and when your code is 'frozen' and ready to ship. Communicate.

    2) Know how to use your source control to ID recent changes. Review recent changes.

    3) At least know how to use diff, for Christ's sake. Diff your code and look for recent changes.

    4) Just a thought, you might want to move your soon to be released code to another repository. Just a thought.

    5) LART any programmer touching the soon to be released code without communicating or following through (i.e. removing debug code). If the said programmer is a cowboy, move that programmer over to sales.

    6) Dare I say it, QA and code reviews. Even short-cycle extreme programming has de facto code reviews in that 2 programmers check each other's work.

    As projects get larger and more complex, version control get harder. But a few basic rules can help out.
  • by bestinshow (985111) on Tuesday March 11, 2008 @01:58PM (#22720614)
    Had any of the emails been looked at?

    If they were all unread, and if the last login on that account was like forever ago, then maybe the developer's story is the truth.

    But this is a key example of where open source wins, because most eula's will have a don't decompile clause.
  • by _Shad0w_ (127912) on Tuesday March 11, 2008 @02:08PM (#22720746)

    "Never attribute to malice that which can be adequately explained by stupidity"

    Although in this case I think stupidity might not be an appropiate term. Unless you have oversight (either peer or some other form) it's quite easy to accidently leave deubugging code in a release. I'll hold my hand up and say I've done it; any programmer who says they haven't done it - or at least something similar - is either delusional, hasn't noticed yet or is a downright liar.

  • Snow Job (Score:5, Informative)

    by feed_me_cereal (452042) on Tuesday March 11, 2008 @03:23PM (#22721604)
    From the G-Archiver website:

    What happened with G-Archiver?

    It has come to our attention that a flaw in the coding of G-Archiver may have revealed customer's Gmail account usernames and passwords.

    It is urgent that you remove the current version of G-Archiver from your computer, and change your Gmail account password right away.

    What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version.

    We sincerely apologize and assure you that this coding mishap was in no way intentional.

    We'll be releasing a new version that corrects the flaw in version 1.0. The new version will be available very soon.


    This is misleading. They should have fully disclosed the problem if they want to re-gain anyone's trust. It wasn't that they "may" have been revealed; they as a matter of fact "WERE" revealed. An admission that their program LOGGED AND TRANSMITTED PASSWORDS TO THE PARENT COMPANY would also have been nice.
  • An Accident? (Score:3, Insightful)

    by Jekler (626699) on Tuesday March 11, 2008 @04:46PM (#22722468)
    I've written a lot of code in my time. I've never written a routine/method/function that saved user account names and passwords then emailed them to myself. Writing passwords to the local system is fine, but even that you have to do correctly (in a sufficiently encrypted form) and you must notify the user. I can't understand how he could possibly justify creating emails that transmit password information as simply a debugging accident. The debugging process probably shouldn't involve automatically creating emails. And if it does, it probably shouldn't include secure information. And if it does, it probably shouldn't include secure information from the user without notifying them.

    I don't think this can be justified. You can't "accidentally" harvest account names and passwords. Bells go off in the head when you're writing code that says "create an email, send it to this address, and include the current user's username and password."

"No job too big; no fee too big!" -- Dr. Peter Venkman, "Ghost-busters"

Working...