There's quite a commotion online about a program called g-archiver that promises to back up your Gmail account, but in the process apparently harvests all users' Gmail usernames and passwords, and mails them to a separate Gmail account.
This is indeed scary, although it's possible that the person behind it wasn't collecting the passwords for nefarious purposes. But it highlights some important issues that we tend to overlook in this Web 2.0, mashup age:
- Your online email account is more vulnerable than an offline one (by which I mean, storing your old emails online, rather than downloading them to your computer and deleting the online copy.) In this sense, POP is good, IMAP and webmail bad.
- If you give your username and password to third parties, i.e., those who access your account on your behalf, you need to be more rather than less careful than with the original service. For example, services like Plaxo allow you to access your other accounts but will inevitably require you to enter your username and password, which will be stored on their server.
On top of that, it's intriguing to take a look at how legitimate this one program appears, and how little those websites helping in its distribution have vetted it. I found copies at Download.com (owned by CNET), despite a commenter pointing out it steals passwords, Shareware Junkies, BrotherSoft, Softpedia, ZDNet, Download3000, FreedownloadsCenter, the excellently named Safe Install and Filedudes.
Just out of interest, G-Archiver is apparently the work of a company called MateMedia, which registered the website hosting the software. An interview with the company's president, Russ Mate, is here.
A message on the original blog post purporting to be from Mr. Mate says "MateMedia is a legitimate company and we are absolutely horrified that this has occurred", and will be notifying any download sites hosting the software to "remove it immediately."
That clearly hasn't happened yet, but neither has the company removed it from its own website, at the time of writing. (Seeing the software alongside tools like FriendTools, which automates adding friends and comments for MySpace spammers, or TubeAdder, which does the same thing on YouTube, might give a prospective user pause for thought.)
My rules of thumb:
- Never download software without visiting the author's original site, and finding out who produced it. This applies to Facebook apps as well. (In G-Archiver's case, there is no contact page.)
- Think hard before you give your email password to any service, however legitimate. It's not so much about losing your email password but about all the other passwords and personal data that a bad guy could access inside your email account.
As Web 2.0 involves more and more cross-pollination of information, so we need to be smarter about who we give our passwords to, and what information we store behind those passwords, both in email and in social networking accounts.