Your Email Password: A True Horror Story About Why We Need Authentication Standards
Blogging developer Jeff Atwood has written up a story of password theft that will run a chill down the back of anyone who enjoys trying out new applications online.
The story is about a GMail archiving application being sold by an unscrupulous coder who programmed the app to forward all GMail usernames and passwords from customers to his personal GMail account.
The story underlines the importance of the emerging movement for user authentication standards, a part of the user trust dilemma that will prove key in the near-term future of online innovation. OAuth, one of those proposed standards, is something we write about here regularly.
Dustin Brooks is a reader of Atwood's excellent blog Coding Horror and sent Atwood the story of his sleuthing around the app, called G-Archiver.
"It didn't really have the functionality I was looking for," Brooks wrote, "but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned."I opened up a browser and logged in to gmail using his account information. It still worked.
"Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine. I decided to go ahead and blast every email to the deleted folder and then empty it. I may have accidentally changed the password and security question to something I don't remember as well, whoops, my bad. I also contacted google to erase this account as I didn't see a way to delete it myself."
Way to go, Dustin Brooks.
Authentication Standards and Best Practices: A Key to Innovation
How often have you given your usernames and passwords to various services, including webmail, to a new application you want to check out? I know I do that far too often. I decided I'd had enough last week when yet another application asked for my Twitter username and password. Twitter pays my rent, so I can't be giving my credentials out to just anybody. I don't need to get G-Archived.
New 3rd-party Twitter clients are just not going to get any attention from me until Twitter offers an authentication protocol that doesn't require me to provide my username and password. It's pretty insane if you think about it, given how central the Twitter API is to the company's viability. I guess if you're struggling to keep your pants up at a party, though (service up time), then there's no time to make sure your fly is zipped before meeting the other guests.
When users decide that they won't give out their credentials to random startups, the user pipeline is going to dry up and innovation is going to be slowed substantially. Maybe that's already happening and a world of potential support for innovation is already absent.
With the release of the Google Contacts API this week, developers don't have much excuse to ask for GMail username and password. Unfortunately, Google didn't build its API on a standard like oAuth, so that framework won't spread as far and wide as it might.
Niall Kennedy has written a great article about authentication best practices and the oAuth website is a good place to go to read more on this topic.
FOLLOW RWW ON TWITTER
RECENT JOBS
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
As a solution, though it would be a pain in the ass, why not create a test email or twitter account to try out these new services, if they seem worth the hassle?
Posted by: Corvida | March 8, 2008 12:39 PM
Perhaps a bigger problem, particularly at places like SXSW, is all those Twitter passwords being sent in the clear over the air.
Posted by: Gabe | March 8, 2008 12:41 PM
what a horror and utterly shameful story.. Its become normal these-days to give out a myspace or livejournal password on rockyou, slide, gigya, etc because they make the utterly painful job of publishing HTML code seemingly easy. But what happens is that soon you develop this habit of trusting such sites and programs that ask for login because most of them are genuine and useful. But then how do you ever know for sure?
This indeed was a wake-up call and I think its high time for all big companies to start working on API or at least have something like a "bonded-sender" like program that lists which companies to trust and what they're liable for in case a malpractice is found.
Posted by: san | March 8, 2008 1:32 PM
Good news San, we're working on that problem. I'll keep you posted.
Posted by: Paul Jensen | March 8, 2008 2:55 PM
The system I came up for some of my projects is dead simple.
Apps need is a second password for api usage. These can be changed at any time. This password could not actually be used to login to an account.
Posted by: Darren Stuart | March 8, 2008 3:14 PM
No surprise from me, but a big +10 for covering this. This is exactly the case we sought to avoid in creating OAuth.
It won't be long before something really dastardly happens that will force developers' and companies' hands to get proactive about their users' credentials. Stuff like this will cost people their business.
Posted by: factoryjoe.com
|
March 8, 2008 8:58 PM
Interesting, your comment about Twitter. I ditched the idea of integrating Twitter on Travellerspoint, because I just wasn't comfortable storing third party logins. I don't want to put our users in a compromised situation like that - even if they don't realise it's a problem.
Posted by: Peter Daams | March 9, 2008 3:40 AM
People need ONE personal 2-factor ID device that they can register and use with websites. And that 2-factor ID device needs to itself have a keypad and password on it.
Posted by: chrisco | March 9, 2008 6:14 AM
Wow, what a story. I will say that we at Mashery are receiving more customer requests for OAuth support than just about any feature. We're currently implementing it for several customers, and I expect that within a few months we'll have more people using it than not.
Posted by: Oren Michels | March 9, 2008 6:25 AM
Sorry, this is not a horror story. If your are stupid enough to give your password to every random application/service that comes along, it's your own fault.
Posted by: Erik | March 9, 2008 8:25 AM
@Oren: that's great news! Would love you to help out with the libraries as well!
@Erik: that's fine to say if you don't have any customers, but the reality is, if people want something bad enough, they'll give out their passwords, and people want social connections across different networks. It's not enough to say that these people are "stupid" — it's that these systems are not giving them a better way to accomplish a very reasonable and simple task (or in the case of the story, backing up their Gmail account).
Posted by: factoryjoe.com
|
March 9, 2008 10:01 AM
I agree with Erik to a degree, it's one thing to give out your credentials to a big name well known service, it's completely another though to give it out to an unknown 3rd party developer. And that g-archiver scam must be incredibly rare, the jig would be up pretty quickly with that kind of thing and it's all traceable.
Mountains out of molehills.
Posted by: John | March 9, 2008 10:42 PM
There is an education aspect here. It's easy to say people are stupid, but perhaps they are just not aware. Let's say OAuth becomes a standard and people start implementing it, how will the average person know if there a particular site is OAuth compliant? It's easier to implement standards than to get people to understand the implications. We need user education in a non-geeky, non-alarmist sort of way.
Posted by: mndoci.myopenid.com
|
March 9, 2008 11:12 PM
From the gArchiver's developer point of view that was very lame of him. He should have expcted that some programmer will take a look at his code and find the scam and the user + password to it's gmail account. I think that gmail has something called automated forwarding and any email that came to this email should have been forwarded to another email address. Or he might have just email the info to an email address just as simple w/o the need of credentials. From the user's pov that is veery dangerous and indeed, the most services today require your info to make their functionality work, and that creates a trust habit. no good. i remember the first case when i got such a request from Hi5 a social network .. i was so suspicious that i changed the password to something temporar, given the new info, then after its done its thing changed the password back. later on i just ginven the real password :(
Posted by: edyshor | March 10, 2008 4:10 AM
If you want to try out a new online service, just use a fake email address. If you make up a random email address @mailinator.com, eg. dakfljv0294@mailinator.com and submit it. Then go to www.mailinator.com, and type in your fake email address in the "Check your inbox" field, and then you can see all the emails send to that address. Works pretty nice. I used to use 10minutemail which created a random email address that worked for 10 minutes, but their server seems to be done for a while already.
Posted by: anonymous anonymous | March 10, 2008 5:30 AM
@Marshall on Twitter and Oauth: they have Oauth support in beta, see https://twitter.com/oauth
Posted by: Pascal Van Hecke | March 10, 2008 12:53 PM
(As a sidenote, I do not seem to be able to log in with my usual OpenID account(s). That's because email address is mandatory? I do not want my OpenID provider to pass that along, since I auto-create an email alias for every site I login into...)
Posted by: pascal.vanhecke.name
|
March 10, 2008 1:01 PM
There is already an Open Authentication standard out there - it's called Kerberos and it's been around for a decade!
Posted by: Bake | March 10, 2008 2:57 PM
There is already an Open Authentication standard out there - it's called Kerberos and it's been around for a decade!
Posted by: Bake | March 10, 2008 2:58 PM
Been around security and computers for 50 years.
What I do is only have one computer for the web and
email and all my personal and work on multiple other
computer with absolutely no connections. The infinite
high fire wall. So far all is good. Cheers
Posted by: Dave Caulfield | March 10, 2008 4:46 PM
Thats why I never provide my email ID and password other than my mail account provider.
Posted by: Md. Maftahur Rahman | March 11, 2008 3:34 AM
What's funny is that g-archiver put a statement on their site saying it was a "developer error" and that it was code for testing, left in the Production version by mistake.
They have a new version coming out soon, but considering this issue, what is the chance that people will actually trust them now?
Posted by: numberwhun
|
March 11, 2008 4:42 PM
Another perfect example of an insecure Internet protocol. Stopping things like this happening wouldn't be an easy process to implement. The best thing would be to just use common sense and perhaps put in a few minor security protocols to help reduce something like this happening. The problem here is trust, much like trusting a person once and everything turning out ok, you seem to develop this sub conscious trust with the person and you won't hesitate to give them your information next time they need it, that may be the biggest mistake you make.
Trust no one with your information unless the application is created by the company itself.
- Dwayne charrington.
Posted by: Dwayne Charrington | March 11, 2008 11:01 PM
my contact no is 9868560534
Posted by: sushil kumar | March 28, 2008 12:35 AM