G-Archiver Harvesting Google Mail Passwords

Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."

Almost Willing To Believe

[_bug_]

I'm almost willing to believe the G-Archive excuse that its debug code. From the screenshots posted online of the inbox (before it was deleted) I only see e-mails marked as unread. If the entire inbox is filled with unread e-mails then I'm willing to believe it was a throw-away e-mail account used for testing/debugging. Also this kind of "bug" seems really blatant and certainly headed for an easy discovery. I'd expect a more obfuscated means of transmitting the username and password, were one so inclined to bug the software.

However 1,777 seems a bit small for "popular software" if this represents every install since the bugged software was released. Furthermore, how does e-mailing a password to a random account help in debugging the software?

I'm almost willing to believe in human stupidity as the reason this happened, but not quite.

Re:Gmail Backups?

[fyrie]

It's useful in case your account get stolen, or if it ever gets deleted by accident (it's happened to gmail users before).

Re:Just wondering...

[Anonymous Coward]

Or, to ensure that it doesn't end up in any unfortunate sent items folders.

Re:Just wondering...

[karmaflux]

GMail requires you to authenticate with their SMTP servers to send mail. His choices were to include the account password, implement his own SMTP server and build it into the program, or use an open SMTP server. That last will often get your mail dropped as spam. The second one would have been better-secured, but the guy was obviously dumb enough to include a phishing function in a backup program, so it's obvious why he went with option number one.

Re:Even the courts aren't this daft

[Z00L00K]

I actually found a few links that should be useful in cases like this:

• FBI NATIONAL COMPUTER CRIME SQUAD [emergency.com] (May be outdated)
• FBI Tampa Cyber Crime squad [fbi.gov] (you may have your own local version of this)
• Internet Crime Complaint Center (IC3) [ic3.gov]
• CERT [cert.org]
• Forum for Incident Response and Security Teams [first.org]
• Swedish IT incident Center [sitic.se] (sitic at pts dot se)

Of course you may have your own national version of IT incident reporting.

So if we really want to avoid having the police hunt us for petty crimes of downloading files - give them something real. :-)

Re:Gmail Backups?

[Arccot]

You have 6.5 gig of space on redundant remote servers. What are you backing up? Perhaps I do not understand what this application does and who needs it...

Gmail has been known to shut down down accounts without notice or any chance of reversal. It's prudent to have a copy of your own data at all times, no matter how secure you think someone else is storing it.

Re:what was that dude's name

[Hatta]

That [bell-labs.com] was Ken Thompson [wikipedia.org], coinventor of UNIX.

Re:Doesn't look malicious to me

[faloi]

I'm on the fence. On one hand, sending them to your own account seems pretty stupid. One the other hand, if the software has been out there for a while I would think I would notice suddenly getting a bunch of usernames and passwords in my inbox. Perhaps it was a real "oh crap" moment and he figured that he could sneak the fix into a patch before someone else noticed what was going on. It doesn't look like the emails had to be read, incidentally, it looks like the username and password were on the subject line.

Re:One thing strikes me

[LordSnooty]

Have you read the summary? If you used the G-Archiver program then your details will have been leaked. If you just use Gmail then there is no concern.

His name is Dennis Ritchie

[krog]

He did it so he could more easily troubleshoot support calls on his new "Unix" operating system.

Wha?!?

[an.echte.trilingue]

Rather, you're much better off running a strong firewall that's not the same piece of software or hardware at the boundary of your network which will pick up on nasty things

I am quite interested in learning what kind of hard firewall you have that is capable of distinguishing between a packet sent over port 80 originating in, say, Internet Explorer and any other piece of software. I am also interested in knowing what software firewall you have that can block applications from rewriting its rules to allow themselves access.

It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't...you can run a packet sniffer and keep an eye on what the software is sending across the network

Um, IMHO, checking the source is way faster and takes way less skill than this easily subverted clusterf*ck that you are proposing. Besides, the very thing that makes a hardware firewall useless for cases like this also makes this approach unreliable.

which I would say the vast majority if not 99.9999% of people aren't.

While we are in the realm of imaginary statistics, I would say that about 100 times as many people are competent to examine the source of a program than to decompile a program and read the resulting nasty, uncommented, tangled pile of commands that results from that. That makes it about 100 times as likely that somebody will find a back door like this in OSS code, doesn't it?

Oh, by the way, you realize that lots of people are paid to audit OSS code before they deploy it in their company, right? The ability to do this is actually a selling point for a lot of companies.

(and unless the software has got a built-in ansible, that should be good enough for almost all applications.)

What are you talking about?

Re:Just wondering...

[ZOMFF]

This door would more than likely leave a copy of the message in the users 'sent' folder. The chances of someone detecting that are far more likely than the hoops this particular user jumped through to decompile the code.

Just another thing that points to the application author's malicious intent. By utilizing his own credentials he was able to authenticate to Gmail as himself and shoot himself an email with no trace in the end-user's sent box.

Re:Just wondering...

[Anonymous Coward]

Well, it requires authentication to use Google Mail's email servers (which the program was). I suppose they could have used the end user's username and password to send the email, but then the end user would have seen that they sent out their username and password to someone!

Of course, there are a billion other ways around sending email to Google's mail server, but I'll just assume the author wasn't that smart.

Re:This is why I backup my Gmail with G-Archiver

[Schraegstrichpunkt]

It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't.

So? Somebody you trust can do it for you. Or, you can trust that there are enough people looking at the code that they'll find any big problems, and that news of these problems will find its way to you. With non-free software, the number of people looking at the code is much smaller.

Re:Doesn't look malicious to me

[dmitrybrant]

Stop me if I'm wrong, but Google previews the first line of the message, right next to the Subject header (as is evident in the screen shot). So there's no need to even "read" the message.

Re:Wha?!?

[asdfghjklqwertyuiop]

It may not be easy but people do this sort of thing all the time to remove DRM from video games.

And if the firewall software checks to see if it has been modified then alter the firewall software so that it does not perform such a check. Hopefully you see where this is going...

Snow Job

[feed_me_cereal]

From the G-Archiver website:

What happened with G-Archiver?

It has come to our attention that a flaw in the coding of G-Archiver may have revealed customer's Gmail account usernames and passwords.

It is urgent that you remove the current version of G-Archiver from your computer, and change your Gmail account password right away.

What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version.

We sincerely apologize and assure you that this coding mishap was in no way intentional.

We'll be releasing a new version that corrects the flaw in version 1.0. The new version will be available very soon.

This is misleading. They should have fully disclosed the problem if they want to re-gain anyone's trust. It wasn't that they "may" have been revealed; they as a matter of fact "WERE" revealed. An admission that their program LOGGED AND TRANSMITTED PASSWORDS TO THE PARENT COMPANY would also have been nice.

Re:That REALLY doesn't make sense

[Fnord666]

Why on h^Hearth do you need the password of this account to be written in the source code?

Because Gmail's SMTP server uses username/password to authenticate the user before accepting outgoing mail. He was not only emailing info to his gmail account, he was using gmail's smtp server as the outbound connection. Given the purpose of the program, the author assumed that the user had a gmail account and used gmail's smtp server, so the program would not have any firewall issues connecting outbound for its nefarious purposes.

Re:Wha?!?

[raddan]

Little Snitch [obdev.at] for Mac OS X lets you write per-application firewall rules. It's pretty sweet. Not that this will help you if your favorite application is secretly sending your diary to your mom.

Re:This is why I backup my Gmail with G-Archiver

[toriver]

man strings

Can't remember if strings is part of Microsoft's "Unix tools for Windows" though, but Cygwin32 will do the trick.

Re:This is why I backup my Gmail with G-Archiver

[Mongoose Disciple]

I was assuming the source does not match binaries case, and for a one-man project like G-Archiver.

How trivial is that to verify if I control both? Depending on the compiler/options you could get some different executables...

Re:The /. crowd has no imagination

[cbart387]

Easily could be a test email address that he uses for only that purpose. I'll give him the benefit of the doubt on this one. That doesn't mean I'll use the product however. You have two cases. Either (a) the coder is malicious -or- (b) the coder is sloppy. If I'm paying for a program (g-archiver's site says it's 29.95) then I expect the code to be of good quality ... and having debug code in does not count as good code in my opinion.

Also, I'm kinda interested in his market. Thunderbird has an option to download/sync to a local machine. I'm curious why you'd want to use yet another tool when a decent email client has the same basic feature.

Re:Deleted the emails

[Anonymous Coward]

Everyone else on the planet keeps backups of their own email, not other people's.

Re:This is why I backup my Gmail with G-Archiver

[Nullav]

Yeah, logging; logging the usernames and passwords of every single user. Perfectly legitimate!

If something is collecting my login information (and thus access to every conversation made using that address), I expect a damn good reason and I expect it before someone else exposes it and potentially gains access to my account and countless others. For that matter, I expect it before the money leaves my hands.