The Gmail password hijacking incident: When so-called helpful apps hurt

The Gmail password hijacking incident: When so-called helpful apps hurt

Summary: An application dubbed G-Archiver backs up your Gmail account to a hard drive with a not-so-nice twist: It swipes your user name and password.Jeff Atwood at Coding Horror outlines a chilling tale as told by Dustin Brooks, one of his readers.

SHARE:
44

An application dubbed G-Archiver backs up your Gmail account to a hard drive with a not-so-nice twist: It swipes your user name and password.

Jeff Atwood at Coding Horror outlines a chilling tale as told by Dustin Brooks, one of his readers.

I was looking for a way to back up my gmail account to a local drive. I've accumulated a mass of important information that I would rather not lose. During my search I came across G-Archiver, I figured what the heck I'll give it a try.

It didn't really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned.

I opened up a browser and logged in to gmail using his account information. It still worked.

Atwood zeroed in on the ethics of Terry and how programmers need ethics too. Marshall Kirkpatrick at ReadWriteWeb says that this ditty shows why we need authentication standards.

I come up with a different conclusion: You just can't trust a lot of the software out there. What apps can you really trust? This G-Archiver thing sounds way helpful, but it isn't by any stretch.

But what's really worrisome is that Atwood's tale shows how someone who actually knows code can take a hit. I couldn't have deciphered that the application was hijacking my user name and password. A lot of people couldn't.

If you add it up I can only come to one conclusion: Don't trust software from companies you've never heard of. The problem: These incidents could have a big chilling effect on legit software companies.

Topics: CXO, Collaboration, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • Not just the unknown companies

    It's not just the "unknown" software makers who can't be trusted. I have a client who thought it would be interesting to see what's going through his network, so he grabbed a day's worth of packets. He caught some new software from a big maker (on the scale of Adobe, Microsoft and Oracle) trying to send his "registration" information. What was odd was it was transferring about 60 megabytes! He's a statistics professor, so he dug deeper and found it wasn't compressed, but it was encrypted as there were no repeating sequences of bytes. Repeated requests to this vendor have not resulted in a response.
    ometecuhtli2001
  • Someone asked me how to "backup" Gmail

    And I gave her a very simple answer: Thunderbird. The e-mail stays at Gmail, but a local copy is now available. Since Thunderbird stores it in mbox format, it can be read outside of the client in other applications. She was perfectly happy with my suggestion.
    AbbydonKrafts
    • The same with Hotmail

      There is a free add in that lets me download my Hotmail to Outlook, works quite well.
      GuidingLight
      • Uh, wasn't the Gmail archiver a "free add in"???

        How can you be sure the one are you using is not pulling the same trick??
        aroc
    • Any desktop e-mail software with POP3 works

      Just download your Gmail to your favorite desktop e-mail program using POP3.
      Outlook, Eudora, Tunderbird.
      Whatever works.
      tikigawd
  • MALWARE plain and simple.

    There are literally thousands of programs out there (many of them commercial) that do exactly this or worse. They are called MALWARE. They use deceptive or illegal practices that benefit the creator, not the user. They phish for personal data, take control of users' computer resources, create vulnerabilities in security, and generally lie, cheat and steal.

    Imagine if a locksmith came to your house, installed a lock as you hired him to do, then made several copies of the key, one for himself, one that he put under a rock in the front yard, and one that he hung up in his shop for sale to the highest bidder. That's EXACTLY what some developers do with "backdoors" in their software. And I'm not just talking about low-life rogues, but big-name companies selling software that costs thousands of dollars.

    When caught and confronted, they use various excuses: ease of use, ease of support, you agreed to everything in the EULA, etc. But the truth is that it is deceitful, dangerous, immoral, but not necessarily illegal. Thanks to corrupt legislators, businesses have managed to avoid any legislation that would make most of these actions illegal as well as immoral.
    terry flores
    • Well put.

      Plain and to the point. Exactly.
      Glen.Manages.MVS
      • Absolutely

        Not too many years ago, there was a definite corelation between moral/immoral and legal/illegal. If something was moral it was legal, and if it was immoral, it was illegal. Nowadays, things that used to be legal are illegal, and things that used to be illegal are now legal, and there's no such thing as immoral anymore. Morality is relative.
        awgiedawgie
  • RE: The Gmail password hijacking incident: When so-called helpful apps hurt

    I am just as concerned by the "computer" reading of all all my gmails by Google for their keyword adverting adjacent to emails. It is makes one more than uneasy to see key words from my private gmails popping up in the adjacent ads! They are reading and recording every word in the emails and sending it over to their adverting dept computers. Pretty soon I advertisers will be bidding on private email key words.

    How would you like it if the US post office opened every letter scanned it, then send the scan over to another dept to read and place an ad on the outside of the envelope they then mailed you. Got an overdue bill, then get an ad on the envelope "we can help you with your bills now!"

    They have a little feedback link on the google ads explaining how private this is, so I know they are getting thousands of complaints.

    This is invasion of privacy and needs to be stopped immediately, even if Google is free, they have no right to read emails even with computers. If the computer reads it, anyone at Google with code and password can read them for the record.

    I know this is a bit off the hacker topic on Google but maybe we can also discuss this issue on ZDNet.

    Tks,

    Johnpills
    johnpills
    • If you don't want the world...

      to know your secrets, don't use gmail. In fact don't
      use the Internet unless you encrypt your secrets
      first. Using the Internet unencrypted, is like writing
      postcards for everyone to read.
      arminw
      • Too true; Other problems, too

        Invasions of privacy abound and many (most?) are undetectable. The only defense is to never let it onto the Internet, or, better yet, never let it onto your computer.

        Aside from privacy, there are other reasons to limit the amount of "helpful" software that you use. In the business of computer support, I've run into apps that do damage through plain old bugs or system conflicts. I've also seen computers that were completely bogged down by dozens of these little gems. A case in point is browser toolbars, most of which are (in my book) useless, yet somehow they are attractive to the average user.

        This is a legitimate role for reviewers. Reputable reviews of software should include testing for privacy issues and adverse side effects. Is there anti-snooping software that could help reviewers detect embedded snoopers? (That thought shakes me a bit! A whole new industry...) How about a resource usage assessment, especially for apps that have a resident module?
        w_c_mead
  • RE: The Gmail password hijacking incident: When so-called helpful apps hurt

    I am just as concerned by the "computer" reading of all all my gmails by Google for their keyword adverting adjacent to emails. It is makes one more than uneasy to see key words from my private gmails popping up in the adjacent ads! They are reading and recording every word in the emails and sending it over to their adverting dept computers. Pretty soon I advertisers will be bidding on private email key words.

    How would you like it if the US post office opened every letter scanned it, then send the scan over to another dept to read and place an ad on the outside of the envelope they then mailed you. Got an overdue bill, then get an ad on the envelope "we can help you with your bills now!"

    They have a little feedback link on the google ads explaining how private this is, so I know they are getting thousands of complaints.

    This is invasion of privacy and needs to be stopped immediately, even if Google is free, they have no right to read emails even with computers. If the computer reads it, anyone at Google with code and password can read them for the record.

    I know this is a bit off the hacker topic on Google but maybe we can also discuss this issue on ZDNet.

    Tks,

    Johnp
    lcarliner9
  • RE: The Gmail password hijacking incident: When so-called helpful apps hurt

    For Outlook Express users, Gmail supports the imap protocol scheme as well as POP3. Just as with Thunderbird, imap leaves all the physical folders and email on the gmail host, but mirrors it virtually in outlook express, thus allowing transparent backup or the security of host storage.
    lcarliner9
  • RE: The Gmail password hijacking incident: When so-called helpful apps hurt

    I agree on the point of knowing the company you are dealing with. However, you should also be changing your password on a regular basis. All the free email giants need to enforce password expiration dates, encryption, and strong password rules. Sure, it will piss off a few hundred users, give or take a few thousand, but we all adapt. Remember when corporate America was lacking in security. Then IT started enforcing the rules? We all got through it didn't we?

    One other point... who actually wants to back up their GMAIL/Yahoo/MSN account unless they have some specific need to do so. Ummm, how about NOT MANY!!!!
    Do you really feel like Google is going to lose your data?
    I have 6.5 gigs of space allocated on my gmail account and have used 24% of it. And I too save everything and I use gmail search as an information resource as well. But I do not feel like I need to back it up to my hard drive. It is not a very efficient use of web technology. And if Google does have a crash (God forbid), how you gonna restore that data?

    Just food for thought people...
    WhiteBoy99
  • RE: The Gmail password hijacking incident: When so-called helpful apps hurt

    A much simpler way to save a gmail/yahoo email to your hard disk:

    ctrl-a (highlight all)
    ctrl-c (copy)

    then in a word processor appl.:
    ctrl-v (paste)

    save.

    or, print it into a pdf file
    adi_dwitama
    • Easiest way

      Download your e-mail with an e-mail app. Why leave it on the server anyway. Why use web-mail at all?
      seanferd
    • way way inefficient

      Just use Outlook or Outlook Express.

      Either one will automatically pull down the Gmail then delete it off the server.

      I've done this along with creating rules under OL or OLE. Then when the email arrives it's sorted by the rules into folders.

      Terry Thomas...
      the photographer
      Atlanta, Georgia USA
      http://TerryThomasPhotos.GooglePages.com
      AtlantaTerry
  • RE: The Gmail password hijacking incident: When so-called helpful apps hurt

    Take a look at their home page, it was a stupid mistake by a coder who forgot to clean up his testing code before the product was released. They've pulled the program for revision and very strongly urge that you change information immediately. This was an accident with potentially disastrous consequences, but an accident nonetheless....
    foraminut
    • huh?

      The first day the coder got tons of email that was not his own he should have known that something was "wrong".

      Sorry, but it seems to me that this is Lawyer Talk and/or Cover Your Ass at work.

      Terry Thomas...
      the photographer (and former dBase coder)
      Atlanta, Georgia USA
      http://TerryThomasPhotos.GooglePages.com
      AtlantaTerry
      • Well...

        The fact that the programmer hard coded his own username and pwd points toward it being a mistake.

        Why would he want to put code out there that anyone could read, and then go log in to his account?

        He might have opened up that Gmail account as a test account and might not check it (that might be why he didn't notice he was getting e-mails that were not for him).

        I don't know. It just doesn't seem intentional. Scary and dangerous, nonetheless.
        tikigawd