Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

My 5 minutes of infamy

Image: Photo by Nahel Abdul Hadi on Unsplash

October 28, 2004 is a day I’ll remember for the rest of my life.

I was coding away on the next version of a small product called GSuite that I was building for a tiny (and now nonexistent) software company called Imspire Software. It was a simple tool that provided some goodies for Gmail users, and had a few thousand users (it eventually died as a result of rapid API changes and new tools directly from Google). As I took a break to check my email, I saw something that shocked me:

###############################################
######    Gmail suit decripting password     ##########
###############################################
os:win 2000 sp 4 ie 6.x whith all fixes
vendor url:http://www.imspire.com/gsuite/index.html
impact: disclosure user information decript password

gmail suit is an application that offers different utilities for
contextual gmail and adds menus our explorer for as much being able to
consult as to send post office to gmail from this suit

Gmail suit once installed leaves in the user folder:
(documents and settings\user_name\Application Data\GSuit\) creates a
called file 'settings.xml' if we watched within this file we see
several data:

<configuration>
<User>
  <Email>User_name_login</Email>
  <Password>ìóåPassword>
</User>
</configuration>

1 name of user of the account of gmail
2 password codified

somehow password codified has the same length of characters that
password in flat text introduced by the  user to know like decoding as
simple the one whom serious as to pass character through character to
its 128 to him value ASCII(https://www.bbsinc.com/symbol.html) of
reducing and the turn out to watch in table ASCII and we will have the
correct character of password

example:

ì236-128)=108
108 = a

another

á225-128)=97
97=a

ìóå loislane

atentamente:

Lostmon (lostmon(at)gmail.com)

[The full email is still posted over at osvdb, and I make a point to go and look at it and the details once a year or so – just to remind myself of what can happen.]

As I worked through the somewhat iffy English of the email I was in shock. I instantly understood the issue, I could see the code in my mind. It was written by another developer, and I could remember questioning its security – but I had other things I was supposed to be doing and didn’t worry about it. What a mistake that was.

I went back to Visual Studio and found the code that caused it all:

Public Function Crypt(ByVal strText As String) As String
    Dim strTempChar As String, i As Integer
    For i = 1 To Len(strText)
        If Asc(Mid$(strText, i, 1)) < 128 Then
            strTempChar = _
      CType(Asc(Mid$(strText, i, 1)) + 128, String)
        ElseIf Asc(Mid$(strText, i, 1)) > 128 Then
strTempChar =_
      CType(Asc(Mid$(strText, i, 1)) - 128, String)
        End If
        Mid$(strText, i, 1) = _
            Chr(CType(strTempChar, Integer))
    Next i
    Return strText
End Function

Shifting values is obfuscation and little more, it looks like security – it might even smell like security, but it isn’t. It’s a false sense of safety, it was a mistake to implement and even more of a mistake to actually use in a consumer product.

While this is only a local information disclosure, and not something far more serious like a remote arbitrary code execution issue – it was still enough to really shake me. I had always considered myself to be a good developer, and part of that is writing secure code. This was many things – but secure isn’t one of them.

Thankfully, Lostmon, the finder of the issue was courteous enough to give me a couple of days advance notice before making it public. Allowing me plenty of time to get a notice up on the web site, and get the next (fixed) version ready for release. I switched from a glorified Caesar cipher, to Rijndael – a significant step up I would say.

Was anybody harmed by this issue? I don’t believe so – it was a relatively minor issue given what was needed to get the password. Was anybody impacted? Most certainly.

  • Users: They now wonder if they are secure – did somebody steal their information?
  • Company: The brand is weakened, less trusted, and questioned more.
  • Developers: Confidence is lost, self doubts start creeping in.

Because of this, every time I release an application I give much more thought to what I’m exposing and how it could be leveraged in an attack against my users. The only way I’ll agree to an application release is if I’m completely certain that I’m not risking a user’s security – if there are any unknowns, any doubts, then it’s not worth the risk. Just that simple.

Adam Caudill

Related Posts

  • on Unfair Judgement

    Recently I was leaving a store after doing some Christmas shopping, as I entered my car someone recognized me and waved – this is the story of what went through my mind in that moment, the mistakes it revealed, and the regret that went with it. For those that are here in hopes of an article on information security or development, please pardon the interruption; this is about human nature. I know the value of your time so I try to diverge from my normal topics as little as possible, but this incident was striking enough that I thought it worthy of publication.

  • Making BadUSB Work For You – DerbyCon

    Last week Brandon Wilson and I were honored to speak at DerbyCon, on the work we’ve been doing on the Phison controller found in many USB thumb drives. This was my first time speaking at DerbyCon – it’s a great event, with a fantastic team making the magic happen. Slides: Video (which I’ve haven’t been able to bring myself to watch): Now that the dust has settled, I would like to provide some updates, thoughts, and extra information – and maybe correct an error I made during the presentation.

  • What’s your Code Legacy?

    When you move on to your next challenge how will those that inherit your code think of you? Noble or notorious, innovator or insane? This is a question that all developers should ask themselves frequently; though too few ever do. You should always write with the assumption that someday a new developer will take over your code, and they will question every decision and assumption you’ve made. When this happens, what will they think of you?

  • Is this thing on?

    Wow! It’s been over a year since this blog o’ mine has seen any activity, though I’ve certainly not forgot about it. A lot has happened in the last year, so I’ll use this post as a bit of an update (and a warm-up for my return to blogging). I’m not going to promise you’ll see a new post daily as was once the case, though I’ll try to ensure something new is up at least once a week.

  • What It Takes To Be A Great Developer

    Recently a programmer I know decided that it was time for a career change, leaving the IT field entirely. This gave me cause to think; what does it take to be a great developer. Many people go through school believing they have what it takes, only to receive a rude awaking once they enter the real world. Before I go on, I think it’s important to define what I mean by developer, and the differences between a developer and a programmer.