Google Blogoscoped

Forum

G-Archiver Scam?  (View post)

Andy Wong [PersonRank 10]

Monday, March 10, 2008
11 years ago5,947 views

Good case to teach common scenes of privacy and security. You as a user take care of your own privacy. Don't blame Google or what so ever.

Anonymous Coward [PersonRank 0]

11 years ago #

Who's blaming Google?

/pd [PersonRank 10]

11 years ago #

Theres nobody blaming google,.. its a call out on programmer ethics

Michael D. Sullivan [PersonRank 0]

11 years ago #

This is truly atrocious, whether or not it was done with the best of intentions (which seems unlikely).

Justin [PersonRank 0]

11 years ago #

This is, if true, a very unethical act of programmers.

I couldn't find any good intension for caching the passwords along with the user names.

Stephen Tordoff [PersonRank 10]

11 years ago #

There was no blame placed on Google, just highlighting the problems with using software that requires your user details.

This could happen to any provider, not just GMail

Satan [PersonRank 6]

11 years ago #

Good job, Dustin. Satan loves you.

J. McNair [PersonRank 10]

11 years ago #

Heh, and as soon as someone pisses off said creator, "John Terry" likely could have sold the credentials to a spam network.

Then again, even Google says not to give your credentials out, even to some of their trusted partners (unless Google OWNS said trusted partners).

It is a Good Thing that the creator of G-Archiver did not go to extra pains to more cleverly hide its general naughtiness, otherwise more people could have been vulnerable before someone figured it out.

Honestly, the best way to backup your GMail account is to get Thunderbird and turn on IMAP. This assumes that GMail-IMAP doesn't have bandwidth caps. Then use Thunderbird to export your mail into whatever format you prefer.

me [PersonRank 8]

11 years ago #

well, a lot of services can import your contacts directly from gmail (last.fm for instance). unfortunately most of them want your login and password. strange thing is that, they do not offer simple csv import.

Lenny [PersonRank 0]

11 years ago #

While being thankful to have this revealed, don't we also have to wonder about Dustin Brooks' intentions? If I had reverse engineered something and in the process found someone's username and password revealed, I would not rush to actually use that information to log into the user's account. Should his action to have been to notify John Terry about his inadvertent revelation?

Is this akin to someone that walks into a house because the door is unlocked, breaking the law in the process, but goes on to stop a larger crime such as seeing a murder about to be committed in that house?

At the end of the day, it seems to be a "good thing" that Dustin uncovered what was going on, but I find the process a bit unsavory.

Philipp Lenssen [PersonRank 10]

11 years ago #

> While being thankful to have this revealed, don't we also
> have to wonder about Dustin Brooks' intentions? If I had
> reverse engineered something and in the process found
> someone's username and password revealed, I would
> not rush to actually use that information to log into the user's account.

Lenny, Dustin apparently did not simply rush to log-in after he found the creator password (he merely thought including it in the binary was stupid). He *only* used this password to log-in to the creator's account after he realized that the program sends an email containing user passwords to the creator.

So to follow-up on your analogy, it's not like someone breaking into a house as it has an open door to then accidentally prevent a murder. It's more like Dustin sees an open door and sees blood on the door step and hears screams for help coming from inside the house, and *then* utilizes the fact that the door is open to rush into the house to help, a moral thing to do (even breaking the door if it wasn't open is probably moral in this case, if you believe the police which you called won't arrive in time).

> well, a lot of services can import your contacts directly
> from gmail (last.fm for instance). unfortunately most of them
> want your login and password.

Apparently that's all not necessary anymore thanks to the new Google Contacts API...

Dustin [PersonRank 0]

11 years ago #

Thanks J.McNair. Thunderbird is the route I finally decided on. I had tried it with POP3, but lost all the labels on the mail. I heard that IMAP would at least put the labeled emails into a folder with said label name.
And you are correct Phillip on the order of events. After seeing what the code was doing I was very alarmed. I have a credit card tied to my google account along with lots of other information.
I very easily could have just changed my password and been done with it, but I decided to try and put an end to it. I probably didn't have to delete all the mail as I've been told, but I thought if he could get his account back in control he would still have all the info. The only mail in there was other peoples account info, so it wasn't a personal box and I didn't feel bad deleting it. Others say it could be used as evidence and if it were to ever get that far, which I doubt it does, I'm pretty sure Google could retrieve the data.
And I did think about trying to contact the violated accounts, but since each username was just stored in the body, not contacts or anything, it would have been very difficult.

I was a little too trusting and will definitely be a little more prude with my information.

Haochi [PersonRank 10]

11 years ago #

It's not like everyone's going to use the Contacts API right away, but you have the point though. { Just be smart out there. }

Philipp Lenssen [PersonRank 10]

11 years ago #

> The only mail in there was other peoples account info, so
> it wasn't a personal box and I didn't feel bad deleting it.
> Others say it could be used as evidence and if it were
> to ever get that far, which I doubt it does, I'm pretty
> sure Google could retrieve the data.

Shouldn't a copy of the current program, in its current version, be enough evidence, as it still tries to "phone home" by sending emails with user passwords?

macbeach [PersonRank 6]

11 years ago #

Very scary!

Maybe if this makes the news bigtime it will put an end to companies asking for user credentials for other company's products.

The practice ought to be considered unethical, even when the asking company PROMISES not to retain the information.

Philipp Lenssen [PersonRank 10]

11 years ago #

This is what their homepage reads right now:

<<What happened with G-Archiver?

It has come to our attention that a flaw in the coding of G-Archiver may have revealed customer's Gmail account usernames and passwords.

It is urgent that you remove the current version of G-Archiver from your computer, and change your Gmail account password right away.

What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version.

We sincerely apologize and assure you that this coding mishap was in no way intentional.

We'll be releasing a new version that corrects the flaw in version 1.0. The new version will be available very soon.>>
garchiver.com/what-happened.htm

Question: if this was an incidental thing, then why didn't the person not check his email account and see all those passwords and escalate this? The mails in his account appeared unread, judging by the screenshot, but then again the password already shows in the subject line (and it's of course trivial to mark a message as unread even if you do open it).


codinghorror.com/blog/images/g ...



Also, they don't actually tell users what happened. The sentence "a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version" seems dishonest.

Whatever the case, sloppy coding or intentional abuse (which both seem to be possibilities even after this sorry message), many people who heard of this likely won't use G-Archiver anymore.

[Via reddit.com/info/6bm7g/comments ...]

Veky [PersonRank 10]

11 years ago #

> The practice ought to be considered unethical, even when the asking company PROMISES not to retain the information.

Really? Then we shouldn't give Thunderbird our Gmail password, too? :-P

Colin Colehour [PersonRank 10]

11 years ago #

Anyone that used G-Archiver should immediately change their password.

[put at-character here]Veky, Thunderbird is a well known open source free email application. I don't think you can compare it to an app that not everyone has heard of that is not open source and that costs money.

Colin Colehour [PersonRank 10]

11 years ago #

Matt Cutts mentioned G-Archiver in a blog post today about backing up your Gmail account.

<< Jeff describes a program that offers to “archive your Gmail” for $29.95, but when you give the program your username/password it secretly mails your username/password to the program’s creator. That’s pretty much pure evil in my book. And the G-Archiver program isn’t even needed! Because Gmail will export your email for free using POP or IMAP, it’s not hard to archive your Gmail. >>

mattcutts.com/blog/backup-gmai ...

Veky [PersonRank 10]

11 years ago #

I didn't compare them. If you read carefully, you'd see that. I just ridiculed macbeach's idea that "The practice [companies asking for user credentials for other company's products] ought to be considered unethical" no matter what.

Colin Colehour [PersonRank 10]

11 years ago #

[put at-character here]Veky, gotcha. Yeah I don't think its ever a 'no matter what' type of situation. If that was the case people would never use services like Meebo or 3rd party apps like Adium, Trillian, Pidgin etc.

Tran Van Tinh [PersonRank 0]

11 years ago #

My idea is not to use this program as it will collect our personal information too. How can we know our collected info are secure

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!