The Gmail password hijacking incident: When so-called helpful apps hurt

Summary:An application dubbed G-Archiver backs up your Gmail account to a hard drive with a not-so-nice twist: It swipes your user name and password.Jeff Atwood at Coding Horror outlines a chilling tale as told by Dustin Brooks, one of his readers.

An application dubbed G-Archiver backs up your Gmail account to a hard drive with a not-so-nice twist: It swipes your user name and password.

Jeff Atwood at Coding Horror outlines a chilling tale as told by Dustin Brooks, one of his readers.

I was looking for a way to back up my gmail account to a local drive. I've accumulated a mass of important information that I would rather not lose. During my search I came across G-Archiver, I figured what the heck I'll give it a try.

It didn't really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned.

I opened up a browser and logged in to gmail using his account information. It still worked.

Atwood zeroed in on the ethics of Terry and how programmers need ethics too. Marshall Kirkpatrick at ReadWriteWeb says that this ditty shows why we need authentication standards.

I come up with a different conclusion: You just can't trust a lot of the software out there. What apps can you really trust? This G-Archiver thing sounds way helpful, but it isn't by any stretch.

But what's really worrisome is that Atwood's tale shows how someone who actually knows code can take a hit. I couldn't have deciphered that the application was hijacking my user name and password. A lot of people couldn't.

If you add it up I can only come to one conclusion: Don't trust software from companies you've never heard of. The problem: These incidents could have a big chilling effect on legit software companies.

Topics: CXO, Collaboration, Google

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.