Software // Enterprise Applications
News
3/10/2008
07:16 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Thieving Third-Party Gmail App Highlights Google Security Worries

A .Net programmer finds G-Archiver steals users' Gmail login details, adding to a growing number of security incidents.

Like Microsoft before it, Google's dominance has made it a target for cyber criminals.

Security has always been an issue for Google, as it is with any online company, but only in the past two years has Google ramped up its public outreach efforts to communicate its commitment to security.

The proliferation of malware, spam, phishing, and related ills could seriously hinder Google's growth if it continues unchecked.

The problem Google faces is that its efforts to reassure its users risk being drowned out by the drumbeat of security incidents affecting Google properties.

On Friday, Coding Horror, a popular blog run by programmer Jeff Atwood, published allegations that a Windows shareware application for archiving Gmail messages called G-Archiver steals users' Gmail login details.

The allegations were made by Dustin Brooks, a .Net programmer with a database management company based in the Midwest.

In a phone interview, Brooks confirmed that he had used a programming analysis tool called Reflector to review the application's source code and found that the program's author had hard-coded the e-mail address jterry79@gmail.com into the code, along with the password to the account.

As Brooks explained in an e-mail to Atwood, "Having just entered my own information I became concerned. I opened up a browser and logged in to Gmail using his account information. It still worked. Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine."

Brooks said he then deleted the presumably stolen account information, changed the password on the account, and notified Google.

The company that distributes G-Archiver, MateMedia, did not respond to a request for comment. "John Terry," the purported author of the software could not be reached for comment.

In an e-mailed statement, Google said it was aware of the program but was not responsible for it. "Google is aware of claims that a third-party tool called G-Archiver, which is purported to store Gmail on a user's hard drive, was actually gathering e-mail addresses and passwords of anyone who used the application," a company spokesperson said. "G-Archiver required users to download software and enter their personal information to use the application."

"G-Archiver is not and has never been a Google product," Google's statement continues. "We are investigating this incident, the underlying activities of which violate Gmail Program Policies. We have suspended the suspect account, and are in the process of notifying the owners of those accounts whose passwords may have been compromised. It's unfortunate that fraudsters continue to use email for these purposes. We have phishing detection capabilities built into Gmail, so we were able to act quickly to limit the impact of this particular attack."

The statement also includes reminders that Google offers industrial strength security measures like SAML that allow for multi-factor authentication and that Gmail comes with anti-phishing protection.

In and of itself, the G-Archiver incident merely reflects the risks of using software from an unknown source.

But Google has had plenty of such issues to deal with recently. It has become a source of hacker information, through automated Google scanning tools like Goolag Scanner and the Google Hacking Database Tool. Last week, there was a porn outbreak in Google Groups. In December, Google had to stomp out a worm spreading on its Orkut social networking site and deal with Trojan.Qhost.WU, Trojan software that replaces Google AdSense text ads with potentially malicious ads from a different provider. In November, Google conducted a significant purge of its search index to get rid of malicious Web pages that had been artificially promoted to prominence by spammers.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.