Password theft - the potential dangers of shareware
Thanks to Susan for the heads-up about this frightening story.
All of us have felt a high degree of trust when downloading and installing software (whether it be freeware, shareware or pay-for). Today I read a story that is a frightening reminder that when we download and install software sourced via the Internet we do NOT know who we are dealing with and we cannot be sure if our trust is misplaced.
Today's villain is called g-archiver (or garchiver, depending on who you talk to). The software holds itself out as a "one click Gmail backup solution". Victims install the software, enter their gmail username and password, and then start creating an archive of their Gmail passwords on their local hard drives.
What the g-archiver web site does NOT tell you is that g-archiver TRANSMITS YOUR GMAIL USERNAME AND PASSWORD TO THE AUTHOR OF THE SOFTWARE.
The behaviour was discovered by a Dustin Brooks, who emailed his discoveries to Jeff Atwood of Coding Horror. Jeff then revealed the scandal to the world on his own blog.
Jeff's blog includes a screenshot of the g-archiver author's Gmail account, which contained 1,777 Gmail usernames and passwords.
To add insult to injury, g-archiver is shareware, costing $29.95.
Jeff Dustin deleted all of the emails stored in the gmail account, emptied the account's trash can, and then changed the password and security question on the Gmail account.
THIS WAS A VERY VERY VERY BAD THING TO DO.
What Jeff should have done is encourage Dustin Brooks to report his discoveries to the appropriate authorities, and to Google. Instead he screws around with the Gmail account, alerting "Jterry" to the fact that the hidden behaviour of g-archiver has been discovered.
Then there is the question of whether or not
Jeff Dustin broke the law by accessing the criminal's Gmail account in the first place.
I shall be reporting this incident to my contact at Google who I am hoping will be able to take steps to retrieve the deleted emails, contact and warn those affected, and contact the appropriate legal authorities.