G-Archiver Harvesting Google Mail Passwords 462
Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."
Debug, Sure (Score:5, Insightful)
Right. And I have a bridge I'd like to sell you too.
That doesn't make sense. (Score:5, Insightful)
DMCA (Score:5, Insightful)
Comment removed (Score:5, Insightful)
Nice move, but illegal? (Score:5, Insightful)
Re:This is why I backup my Gmail with G-Archiver (Score:5, Insightful)
Never ascribe to malice (Score:5, Insightful)
Although in this case, that's some serious incompetance going on!
Don't give out passwords (Score:5, Insightful)
And this, children, is why you should never ever give the password to your account to someone else. Not even someone who claims to want to do something for you. Once you've given it to them, you have no control over what they do with it.
Re:Trust me, trust me not. (Score:5, Insightful)
This seems to be a clear case of privacy invasion and unauthorized access to private data. And I think that this should have been brought to the attention of the police for further investigation.
In this case the guilty will have time to cover his tracks and hide.
Try this approach the next time you see something as grave as this. The worst thing that can happen if you report it is that the case gets dismissed.
Re:Nice move, but illegal? (Score:5, Insightful)
Granted, he probably shouldn't have deleted everything and changed the password (morally: yes, legally: no), so it's likely he may face charges because of this. That's our legal system, folks.
Backup???? (Score:3, Insightful)
No reason to read the body of the emails... (Score:-1, Insightful)
Re:Gmail Backups? (Score:3, Insightful)
Re:This is why I backup my Gmail with G-Archiver (Score:5, Insightful)
Doesn't look malicious to me (Score:5, Insightful)
Maybe I'm getting old, but this seems like a pretty clear case of "oh crap, I'm an idiot", rather than "mwuahahah, my plan for global domination proceeds apace!". According to the posting on codinghorror, the guy who found the issue (Dustin Brooks) found that the creator, John Terry, of the G-Archiver software had left his own email information in the code. Yes, the G-archiver forwarded a record of the account information of everyone who used the app to that mailbox, but if you look at the screenshot, none of those emails has been flagged as read by gmail (but maybe that's an artifact of a POP connection?).
Either way, this just smacks to me of a novice developer doing something incredibly dumb, rather than incredibly malicious. If he actually wanted to just collect other people's account information, why leave his own in the source code? He could have just as easily forwarded the information to an anonymized email account, or simply an account for which the login information was not present in source.
Just my opinion, I reserve the right to be wrong.Deleted the emails (Score:5, Insightful)
[...]
Google's statement continues. "We are investigating this incident, the underlying activities of which violate Gmail Program Policies. We have suspended the suspect account, and are in the process of notifying the owners of those accounts whose passwords may have been compromised. It's unfortunate that fraudsters continue to use email for these purposes. We have phishing detection capabilities built into Gmail, so we were able to act quickly to limit the impact of this particular attack."
Re:DMCA (Score:2, Insightful)
Re:Doesn't look malicious to me (Score:4, Insightful)
It's either an honest mistake, or a REALLY poor hack attempt. Unless I've given further information, I'm inclined to think it was an honest mistake.
Adamn
Re:This is why I backup my Gmail with G-Archiver (Score:5, Insightful)
The upshot of this case is that the app in question was written with
Re:Many Laws Broken , No Ehics (Score:3, Insightful)
Re:Hmmm (Score:5, Insightful)
He tried but it caused an infinite loop.
Re:This is why I backup my Gmail with G-Archiver (Score:4, Insightful)
Re:Deleted the emails (Score:5, Insightful)
Re:That doesn't make sense. (Score:2, Insightful)
Re:That doesn't make sense. (Score:5, Insightful)
A developer wanting to collect people's usernames and passwords and realising that since the program talks to gmail already doing so over gmail would make it much less likely to be noticed by people monitoring network connections for "phone home" behaviour, seems the most likely explanation. Of course there mightn't be any malicious intent, just a "cool, look at all the accounts I collected" thing - like those people who get a warez copy of every piece of software ever released without ever actually using any of them...
Re:This is why I backup my Gmail with G-Archiver (Score:5, Insightful)
Re:Even the courts aren't this daft (Score:2, Insightful)
Re:Gmail Backups? (Score:2, Insightful)
However, you already have software like Imapsize to make backups using imap.gmail.com and even without that; one can easily move GMail messages to your local machine using Thunderbird or most other mail clients.
So indeed, this must be the most redundant piece of software I have ever seen. Either the devs are quite stupid or they really were out to get account info of people...
Re:Don't give out passwords (Score:5, Insightful)
Your e-mails haven't ever been actually deleted (Score:5, Insightful)
From the GMail Privacy Policy: (which is blessedly short, and in English)
"You may organize or delete your messages through your Gmail account or terminate your account through the Google Account section of Gmail settings. Such deletions or terminations will take immediate effect in your account view. Residual copies of deleted messages and accounts may take up to 60 days to be deleted from our active servers and may remain in our offline backup systems."
SirWired
Re:This is why I backup my Gmail with G-Archiver (Score:5, Insightful)
Wouldn't help a bit; the good and the bad parts of the software used the same port to the same server in the same way.
Wouldn't help a bit; the good and the bad parts of the software used the same SSL channel, you won't get into that with a normal sniffer.
Re:Don't give out passwords (Score:3, Insightful)
I was looking at [finally] creating a facebook account the other day. On the account creation page, they have some fields where you supply your webmail address and the password to your webmail account, and it'll automatically look through your address book and find your friends who have facebook accounts. As soon as I saw that, I decided that I still don't really want a facebook account. I steer way clear of any site that asks me for my logins to other sites.
Re:Gmail Backups? (Score:3, Insightful)
Redundancy is never a replacement for backups.
http://slashdot.org/article.pl?sid=08/01/25/1535226 [slashdot.org]
To quote Hanlon's Razor...again. (Score:3, Insightful)
"Never attribute to malice that which can be adequately explained by stupidity"
Although in this case I think stupidity might not be an appropiate term. Unless you have oversight (either peer or some other form) it's quite easy to accidently leave deubugging code in a release. I'll hold my hand up and say I've done it; any programmer who says they haven't done it - or at least something similar - is either delusional, hasn't noticed yet or is a downright liar.
Re:Trust me, trust me not. (Score:3, Insightful)
http://www.informit.com/articles/article.aspx?p=102181&seqNum=4 [informit.com]
Re:Deleted the emails (Score:3, Insightful)
Why are suprised that when you let someone other than yourself hold onto your data that they can access it even after you can't? Do you know what backups are?
For google, there are a number of reasons why they would want to retain the data, not that I think they should if they tell you its deleted. The amount of example emails they can run new code at to test various performance and reliability aspects of the code is the first thing that comes to mind. Feeding more data to their add targeting software is enough.
Finally, I've not read the license agreement fully myself, but I do seem to recall them stating pretty clearly that they may not delete your emails even after you mark them as deleted. They certainly aren't the only site that does this.
If you want complete control over your data retention policy, you need to run your own server, not outsource it to a free provider who has no liability to you at all.
I.E.
Re:This is why I backup my Gmail with G-Archiver (Score:3, Insightful)
I'm failing to see how this is insecure.
The /. crowd has no imagination (Score:4, Insightful)
As I read the comments attached to this article, I see that many slashdotters can't imagine why this debug code would be put into the software in the first place.
To those slashdotters: You people have no imagination.
Imagine you're a G-Archiver developer, and one of your customers calls you, saying "Your program doesn't work. It's saying something about an invalid user." In order to reproduce the problem, you ask the customer for his credentials. He tells you his username and password over the phone, and you try logging in yourself. It works fine.
After a while, you think the problem might be that the password being entered is different from the one you were given over the phone. Perhaps it has something to do with the customer's strange keyboard layout, or maybe the customer's keyboard has some flaky keys.
So what do you do? You give that one customer a special build of the software that emails you the username and password as entered.
Later, you accidentally check in the debug code for that special build. Oops.
Re:Debug, Sure (Score:2, Insightful)
Re:The /. crowd has no imagination (Score:5, Insightful)
And you don't notice the 1,777 emails piling up in your inbox until someone investigates your code and calls you out on it.
I agree with the others - you interested in buying a bridge?
An Accident? (Score:3, Insightful)
I don't think this can be justified. You can't "accidentally" harvest account names and passwords. Bells go off in the head when you're writing code that says "create an email, send it to this address, and include the current user's username and password."
Re:The /. crowd has no imagination (Score:3, Insightful)
Re:This is why I backup my Gmail with G-Archiver (Score:5, Insightful)
Re:This is why I backup my Gmail with G-Archiver (Score:4, Insightful)
I suppose he could have had the passwords filtered in some way and not noticed the 'folder' (or whatever gmail has) filling up.
Re:This is why I backup my Gmail with G-Archiver (Score:5, Insightful)
Re:This is why I backup my Gmail with G-Archiver (Score:5, Insightful)
Does it really matter which it is? There's no compelling reason to ever use their product, and they've just demonstrated that they can't be trusted. Is it really any better if it's due to ineptness rather than maliciousness?
Re:This is why I backup my Gmail with G-Archiver (Score:3, Insightful)
That holds true if you run around downloading random binaries from random websites (ie. the way your typical Windows user acquires all their software). But hardly anybody who has used an OS with a proper package manager for more than 10 minutes actually does this.
I get all my software from my distribution. Currently Ubuntu, for example. Yes, their package maintainers build my binaries, I don't build 'em myself. But it isn't unreasonable for me to trust Ubuntu. They supply my OS, after all, so if I can't even trust them then I'm already up the creek
Now, Ubuntu are presumably building from the publically released source code for each application (ie. the source code supplied by the original application author), the same as everyone else. So in the open source world, all the binaries floating around out there (at least from the people you trust!) DO match the available source code. And we don't all need to audit it - it only takes one person (maybe working at a company that pays them to audit open source programs, as other posters have suggested) to discover something nefarious, and we'd all drop it like a hot potato.
That isn't to say that it's impossible to sneak back doors into open source programs, or that package maintainers are all 100% trustworthy (they're only human. but so far they have an exceptional track record). But using an open source program supplied by your distribution is a damn sight safer than downloading and running some binary from Joe Random's obscure website (or company, for that matter).
Of course, there are still occasions where you need some program that isn't in the repositories, but those occasions seem to be becoming more and more rare these days. When this occurs I do actually tend to compile it myself (./configure; make; make install. really tricky eh?), but I can't remember the last time I needed to install something like this. 98% of what I need is in the repositories, and I'd wager 100% of what your average man-on-the-street needs.
Re:This is why I backup my Gmail with G-Archiver (Score:2, Insightful)