Trojan steals Gmail passwords – and charges for it

David M Williams
Wednesday, 12 March 2008 17:19

Opinion and Analysis

Having an offline copy of your e-mail is no doubt useful. Yet, the software stops short of a vital function: "Can I restore my messages to Gmail using G-Archiver?" asks the FAQ. The answer is no, "At present, G-Archiver can backup Gmail, but cannot restore automatically."

Since news of this story broke, some software download repositories have begun removing G-Archiver – although it can still be found at others.

What's the true story? Was this an attempt to steal identities? Indeed, was it part of an organised criminal racket? Or perhaps it was a naive attempt to help users out when they forgot their passwords? Unfortunately, we may never know. However, G-Archiver's authors have responded with their official story:

"What happened with G-Archiver?

It has come to our attention that a flaw in the coding of G-Archiver may have revealed customer's Gmail account usernames and passwords.

It is urgent that you remove the current version of G-Archiver from your computer, and change your Gmail account password right away.

What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version.

We sincerely apologize and assure you that this coding mishap was in no way intentional.

We'll be releasing a new version that corrects the flaw in version 1.0. The new version will be available very soon."

Note from this that the software has not yet been patched; the software available for download still sends your Gmail details. Note that the apology weakly says G-Archiver "may" have revealed customer's details. And note too that the blame is placed on debug code being released to the public.

This excuse is nonsensical. G-Archiver v1.0 was announced on April 19, 2007. Did nobody at the company notice they had debug code in the wild, mailing credentials, in all that time?

And one must question why you would send a username and password to a test a connection? There were no reasons to store the usernames and passwords at all. It is very hard to come up with any plausible justification for such debugging code. It seems more believable that the G-Archiver developers were actually reaping all the e-mail out of the accounts whose passwords were now laid bare.

The problem is we will never definitely know. It is possible this was a phishing attempt, a Trojan horse, and a malicious piece of software that preyed upon the trust of Gmail devotees. However, it may also be possible the authors sincerely strived to make a useful tool and foolishly didn't think of the ramifications of some of their design decisions.

Whatever the case may be, there's two clear lessons.

Firstly, be vigilante. Don't trust every app you see.

Secondly, support free and open source software. This problem would not have gone undetected for so long had it been open source.