Thieving Third-Party Gmail App Highlights Google Security Worries
A .Net programmer finds G-Archiver steals users' Gmail login details, adding to a growing number of security incidents.
Like Microsoft before it, Google's dominance has made it a target for cyber criminals.
Security has always been an issue for Google, as it is with any online company, but only in the past two years has Google ramped up its public outreach efforts to communicate its commitment to security.
The proliferation of malware, spam, phishing, and related ills could seriously hinder Google's growth if it continues unchecked.
The problem Google faces is that its efforts to reassure its users risk being drowned out by the drumbeat of security incidents affecting Google properties.
On Friday, Coding Horror, a popular blog run by programmer Jeff Atwood, published allegations that a Windows shareware application for archiving Gmail messages called G-Archiver steals users' Gmail login details.
The allegations were made by Dustin Brooks, a .Net programmer with a database management company based in the Midwest.
In a phone interview, Brooks confirmed that he had used a programming analysis tool called Reflector to review the application's source code and found that the program's author had hard-coded the e-mail address firstname.lastname@example.org into the code, along with the password to the account.
As Brooks explained in an e-mail to Atwood, "Having just entered my own information I became concerned. I opened up a browser and logged in to Gmail using his account information. It still worked. Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine."
Brooks said he then deleted the presumably stolen account information, changed the password on the account, and notified Google.
The company that distributes G-Archiver, MateMedia, did not respond to a request for comment. "John Terry," the purported author of the software could not be reached for comment.
In an e-mailed statement, Google said it was aware of the program but was not responsible for it. "Google is aware of claims that a third-party tool called G-Archiver, which is purported to store Gmail on a user's hard drive, was actually gathering e-mail addresses and passwords of anyone who used the application," a company spokesperson said. "G-Archiver required users to download software and enter their personal information to use the application."
"G-Archiver is not and has never been a Google product," Google's statement continues. "We are investigating this incident, the underlying activities of which violate Gmail Program Policies. We have suspended the suspect account, and are in the process of notifying the owners of those accounts whose passwords may have been compromised. It's unfortunate that fraudsters continue to use email for these purposes. We have phishing detection capabilities built into Gmail, so we were able to act quickly to limit the impact of this particular attack."
The statement also includes reminders that Google offers industrial strength security measures like SAML that allow for multi-factor authentication and that Gmail comes with anti-phishing protection.
In and of itself, the G-Archiver incident merely reflects the risks of using software from an unknown source.
But Google has had plenty of such issues to deal with recently. It has become a source of hacker information, through automated Google scanning tools like Goolag Scanner and the Google Hacking Database Tool. Last week, there was a porn outbreak in Google Groups. In December, Google had to stomp out a worm spreading on its Orkut social networking site and deal with Trojan.Qhost.WU, Trojan software that replaces Google AdSense text ads with potentially malicious ads from a different provider. In November, Google conducted a significant purge of its search index to get rid of malicious Web pages that had been artificially promoted to prominence by spammers.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.