Password theft - the potential dangers of shareware

Thanks to Susan for the heads-up about this frightening story.

All of us have felt a high degree of trust when downloading and installing software (whether it be freeware, shareware or pay-for).  Today I read a story that is a frightening reminder that when we download and install software sourced via the Internet we do NOT know who we are dealing with and we cannot be sure if our trust is misplaced.

Today's villain is called g-archiver (or garchiver, depending on who you talk to).  The software holds itself out as a "one click Gmail backup solution".  Victims install the software, enter their gmail username and password, and then start creating an archive of their Gmail passwords on their local hard drives.

What the g-archiver web site does NOT tell you is that g-archiver TRANSMITS YOUR GMAIL USERNAME AND PASSWORD TO THE AUTHOR OF THE SOFTWARE.

The behaviour was discovered by a Dustin Brooks, who emailed his discoveries to Jeff Atwood of Coding Horror.  Jeff then revealed the scandal to the world on his own blog.

Jeff's blog includes a screenshot of the g-archiver author's Gmail account, which contained 1,777 Gmail usernames and passwords.

image

To add insult to injury, g-archiver is shareware, costing $29.95.

Unfortunately Jeff Dustin deleted all of the emails stored in the gmail account, emptied the account's trash can, and then changed the password and security question on the Gmail account.

THIS WAS A VERY VERY VERY BAD THING TO DO.  What Jeff should have done is encourage Dustin Brooks to report his discoveries to the appropriate authorities, and to Google.  Instead he screws around with the Gmail account, alerting "Jterry" to the fact that the hidden behaviour of g-archiver has been discovered.

Then there is the question of whether or not Jeff Dustin broke the law by accessing the criminal's Gmail account in the first place.

I shall be reporting this incident to my contact at Google who I am hoping will be able to take steps to retrieve the deleted emails, contact and warn those affected, and contact the appropriate legal authorities.  

Cite: http://www.codinghorror.com/blog/archives/001072.html

Published Sun, Mar 9 2008 14:50 by sandi
Filed under:

Comments

# re: Password theft - the potential dangers of shareware

Sunday, March 09, 2008 7:20 AM by Dave G

I thought a clarification was in order here.

Jeff Atwood didn't access the Gmail account he was merely reporting what Dustin Brook had done.

Also Dustin said that he contacted Google to shut down this account in addition to changing the password and security question.

# re: Password theft - the potential dangers of shareware

Sunday, March 09, 2008 7:39 AM by sandi

Oh dear, what a terrible mistake for me to make. My sincere apologies to Jeff Atwood for my error (which has been corrected, as you will see above).

I have also contacted Google, and have gone quite high up the food chain in doing so.

BTW, please pass on my regards to Nick ;o)

Sandi

# re: Password theft - the potential dangers of shareware

Monday, March 10, 2008 3:43 PM by Dustin

Yes, in hindsight deleting the emails may not have been the best choice, but its not one I totally regret. After seeing why his credentials were hard coded in his software I knew my account was at risk. I could have easily just changed my password and been done with it, but by logging in with his info my worst thoughts were confirmed by seeing my username and password in his box.

I deleted the email with my info and I changed the password so his code would at least stop working. It was not the easiest thing in the world to try and contact Google either, but after finding a support form I sent in what I knew. Now if this JTerry decided to contact gmail and get his password changed, he would still have access to all that info, so acting out of haste and good intentions I deleted those as well. I did assume that Google would be able to pull these off a back up if they wanted to verify. Whether I should have done that or not is obviously up for debate and was the choice I made at the time.

# re: Password theft - the potential dangers of shareware

Monday, March 10, 2008 6:31 PM by sandi

Dustin,

By doing what you did you alerted the criminal to the fact that his activities had been discovered which was the worst possible thing that could have happened.  It would have been far better to alert the authorities and leave the information untouched.

For all we know, auto-forwarding and/or pop access may have been abled on that gmail account.  The fact that the messages were unread is no guarantee that the information had not been accessed already.

I have advised my contact at Google about the incident - a contact who is very high up the food chain - I just wish the crooks had not been alerted to the fact that that they had been found out.

Sandi

# re: Password theft - the potential dangers of shareware

Thursday, July 31, 2008 1:06 AM by turkey

Thanx You.. Perfect Docs

# re: Password theft - the potential dangers of shareware

Friday, August 22, 2008 11:59 PM by jothi

i hav lost my passwd in gmail , plz if any body can access it help me.....its jothi . kanojia @ gmail .com

plz contact at   shivanikatiyar @ rocketmail .c om

its urgent help me