G-Archiver Harvesting Google Mail Passwords 462
Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."
Almost Willing To Believe (Score:2, Informative)
However 1,777 seems a bit small for "popular software" if this represents every install since the bugged software was released. Furthermore, how does e-mailing a password to a random account help in debugging the software?
I'm almost willing to believe in human stupidity as the reason this happened, but not quite.
Re:Gmail Backups? (Score:2, Informative)
Re:Just wondering... (Score:-1, Informative)
Re:Just wondering... (Score:5, Informative)
Re:Even the courts aren't this daft (Score:5, Informative)
So if we really want to avoid having the police hunt us for petty crimes of downloading files - give them something real. :-)
Re:Gmail Backups? (Score:4, Informative)
Re:what was that dude's name (Score:5, Informative)
Re:Doesn't look malicious to me (Score:3, Informative)
Re:One thing strikes me (Score:3, Informative)
His name is Dennis Ritchie (Score:3, Informative)
Wha?!? (Score:5, Informative)
Oh, by the way, you realize that lots of people are paid to audit OSS code before they deploy it in their company, right? The ability to do this is actually a selling point for a lot of companies.
Re:Just wondering... (Score:2, Informative)
Just another thing that points to the application author's malicious intent. By utilizing his own credentials he was able to authenticate to Gmail as himself and shoot himself an email with no trace in the end-user's sent box.
Re:Just wondering... (Score:-1, Informative)
Of course, there are a billion other ways around sending email to Google's mail server, but I'll just assume the author wasn't that smart.
Re:This is why I backup my Gmail with G-Archiver (Score:5, Informative)
So? Somebody you trust can do it for you. Or, you can trust that there are enough people looking at the code that they'll find any big problems, and that news of these problems will find its way to you. With non-free software, the number of people looking at the code is much smaller.
Re:Doesn't look malicious to me (Score:2, Informative)
Re:Wha?!? (Score:3, Informative)
And if the firewall software checks to see if it has been modified then alter the firewall software so that it does not perform such a check. Hopefully you see where this is going...
Snow Job (Score:5, Informative)
This is misleading. They should have fully disclosed the problem if they want to re-gain anyone's trust. It wasn't that they "may" have been revealed; they as a matter of fact "WERE" revealed. An admission that their program LOGGED AND TRANSMITTED PASSWORDS TO THE PARENT COMPANY would also have been nice.
Re:That REALLY doesn't make sense (Score:4, Informative)
Re:Wha?!? (Score:3, Informative)
Re:This is why I backup my Gmail with G-Archiver (Score:5, Informative)
Can't remember if strings is part of Microsoft's "Unix tools for Windows" though, but Cygwin32 will do the trick.
Re:This is why I backup my Gmail with G-Archiver (Score:3, Informative)
How trivial is that to verify if I control both? Depending on the compiler/options you could get some different executables...
Re:The /. crowd has no imagination (Score:3, Informative)
Also, I'm kinda interested in his market. Thunderbird has an option to download/sync to a local machine. I'm curious why you'd want to use yet another tool when a decent email client has the same basic feature.
Re:Deleted the emails (Score:-1, Informative)
Re:This is why I backup my Gmail with G-Archiver (Score:3, Informative)
If something is collecting my login information (and thus access to every conversation made using that address), I expect a damn good reason and I expect it before someone else exposes it and potentially gains access to my account and countless others. For that matter, I expect it before the money leaves my hands.