Blogging developer Jeff Atwood has written up a story of password theft that will run a chill down the back of anyone who enjoys trying out new applications online.
The story is about a GMail archiving application being sold by an unscrupulous coder who programmed the app to forward all GMail usernames and passwords from customers to his personal GMail account.
The story underlines the importance of the emerging movement for user authentication standards, a part of the user trust dilemma that will prove key in the near-term future of online innovation. OAuth, one of those proposed standards, is something we write about here regularly.
Dustin Brooks is a reader of Atwood’s excellent blog Coding Horror and sent Atwood the story of his sleuthing around the app, called G-Archiver.
“It didn’t really have the functionality I was looking for,” Brooks wrote, “but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned.
“I opened up a browser and logged in to gmail using his account information. It still worked.
“Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine. I decided to go ahead and blast every email to the deleted folder and then empty it. I may have accidentally changed the password and security question to something I don’t remember as well, whoops, my bad. I also contacted google to erase this account as I didn’t see a way to delete it myself.”
Way to go, Dustin Brooks.
Authentication Standards and Best Practices: A Key to Innovation
How often have you given your usernames and passwords to various services, including webmail, to a new application you want to check out? I know I do that far too often. I decided I’d had enough last week when yet another application asked for my Twitter username and password. Twitter pays my rent, so I can’t be giving my credentials out to just anybody. I don’t need to get G-Archived.
New 3rd-party Twitter clients are just not going to get any attention from me until Twitter offers an authentication protocol that doesn’t require me to provide my username and password. It’s pretty insane if you think about it, given how central the Twitter API is to the company’s viability. I guess if you’re struggling to keep your pants up at a party, though (service up time), then there’s no time to make sure your fly is zipped before meeting the other guests.
When users decide that they won’t give out their credentials to random startups, the user pipeline is going to dry up and innovation is going to be slowed substantially. Maybe that’s already happening and a world of potential support for innovation is already absent.
With the release of the Google Contacts API this week, developers don’t have much excuse to ask for GMail username and password. Unfortunately, Google didn’t build its API on a standard like oAuth, so that framework won’t spread as far and wide as it might.
Niall Kennedy has written a great article about authentication best practices and the oAuth website is a good place to go to read more on this topic.