Today’s Coding Horror blog entry is rather disturbing, but not particularly surprising. In short, Dustin Brooks downloaded the free G-Archiver program to backup his gmail account. It didn’t work exactly as he wanted, so he used a .NET disassembler to check the source code. Amazingly, not only were the author’s login details hard coded in, but the program was sending an email with the login details of everyone who used the program to his account!
This kind of security breach is very hard to defend against, because no anti-malware software will detect it. Your firewall will need to allow the program access in order to backup your account. It’s not a virus, and even heuristic scanning probably wouldn’t see much wrong with a program sending emails too. I suppose it would be nice to at least warn the user that the program can do that.
The company that produces the software looks pretty dodgy. I suppose the lesson here is stick to open source software, where it’s hard to get away with that sort of thing.
One Trackback
[...] fail to identify malware, even when the analysis is done for them As a follow-up to to my blog post about g-archiver, I submitted g-archiver to Avira Labs (makers of Anti-Vir) for analysis so it can be added to their [...]