On TechRepublic: FREE download: Social networking policy
BNET Business Network:
BNET
TechRepublic
ZDNet

March 10th, 2008

The Gmail password hijacking incident: When so-called helpful apps hurt

Posted by Larry Dignan @ 8:41 am

Categories: Exploit code, Google, Hackers, Vulnerability research

Tags: Google Gmail, Password, E-mail, Business Ethics, Online Communications, Leadership, Management, Larry Dignan

An application dubbed G-Archiver backs up your Gmail account to a hard drive with a not-so-nice twist: It swipes your user name and password.

Jeff Atwood at Coding Horror outlines a chilling tale as told by Dustin Brooks, one of his readers.

I was looking for a way to back up my gmail account to a local drive. I’ve accumulated a mass of important information that I would rather not lose. During my search I came across G-Archiver, I figured what the heck I’ll give it a try.

It didn’t really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned.

I opened up a browser and logged in to gmail using his account information. It still worked.

Atwood zeroed in on the ethics of Terry and how programmers need ethics too. Marshall Kirkpatrick at ReadWriteWeb says that this ditty shows why we need authentication standards.

I come up with a different conclusion: You just can’t trust a lot of the software out there. What apps can you really trust? This G-Archiver thing sounds way helpful, but it isn’t by any stretch.

But what’s really worrisome is that Atwood’s tale shows how someone who actually knows code can take a hit. I couldn’t have deciphered that the application was hijacking my user name and password. A lot of people couldn’t.

If you add it up I can only come to one conclusion: Don’t trust software from companies you’ve never heard of. The problem: These incidents could have a big chilling effect on legit software companies.

Larry DignanLarry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 44 Talkback(s)
Apparently an 'accident'
Taken from their website:

"What happened with G-Archiver?

It has come to our attention that a flaw in the coding of G-
Archiver may have revealed customer's Gmail account
username... (Read the rest)
Posted by: stoneyg431@... Posted on: 03/31/08 You are currently: a Guest | | Terms of Use
Not just the unknown companies  ometecuhtli2001 | 03/10/08
Someone asked me how to "backup" Gmail  AbbydonKrafts | 03/10/08
The same with Hotmail  GuidingLight | 03/10/08
Uh, wasn't the Gmail archiver a "free add in"???  aroc | 03/14/08
Any desktop e-mail software with POP3 works  tikigawd | 03/11/08
MALWARE plain and simple.  terry flores | 03/10/08
Well put.  Glen.Manages.MVS@... | 03/10/08
Absolutely  awgiedawgie | 03/17/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  johnpills | 03/10/08
If you don't want the world...  arminw | 03/11/08
Too true; Other problems, too  w_c_mead | 03/12/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  lcarliner@... | 03/10/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  lcarliner@... | 03/10/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  WhiteBoy99 | 03/10/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  adi_dwitama@... | 03/10/08
Easiest way  seanferd | 03/10/08
way way inefficient  AtlantaTerry | 03/11/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  foraminut | 03/10/08
huh?  AtlantaTerry | 03/11/08
Well...  tikigawd | 03/11/08
KISS theory illustrated  john_e_fish | 03/10/08
exactly  AtlantaTerry | 03/11/08
No, you can't trust anything  tikigawd | 03/11/08
This is quite disturbing  BigThunder1 | 03/10/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  c320162 | 03/10/08
All ready pulled  ucb9 | 03/10/08
Why not just use a simple email client?  kraterz | 03/10/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  AnimeGirls | 03/10/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  Lyassa@... | 03/10/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  hpwuest@... | 03/11/08
Larry is just the messenger...  randysmith@... | 03/11/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  f.farrell@... | 03/11/08
Who ya gonna trust?  GM Fedorchuk | 03/11/08
Not-so-fine print?  friedtoast@... | 03/12/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  foraminut | 03/12/08
Why doesn't Google offer their own app to do this?  rushingturtle | 03/12/08
If it wasn't open source.. How could anyone have found out?  g2g591 | 03/12/08
Good point, but...  ejhonda | 03/17/08
See the G-Archiver site  zclayton2 | 03/13/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  blaze1024 | 03/14/08
That's what so great about Windows  DarthRidiculous | 03/14/08
RE: The Gmail password hijacking incident: When so-called helpful apps hurt  ntwkguy | 03/17/08
Let me help aleviate some of your timidity  *nixFan | 03/18/08
Apparently an 'accident'  stoneyg431@... | 03/31/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here