Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

My 5 minutes of infamy

October 28, 2004 is a day I’ll remember for the rest of my life.

I was coding away on the next version of a small product called GSuite that I was building for a tiny (and now nonexistent) software company called Imspire Software. It was a simple tool that provided some goodies for Gmail users, and had a few thousand users (it eventually died as a result of rapid API changes and new tools directly from Google). As I took a break to check my email, I saw something that shocked me:

###############################################
######    Gmail suit decripting password     ##########
###############################################
os:win 2000 sp 4 ie 6.x whith all fixes
vendor url:http://www.imspire.com/gsuite/index.html
impact: disclosure user information decript password

gmail suit is an application that offers different utilities for
contextual gmail and adds menus our explorer for as much being able to
consult as to send post office to gmail from this suit

Gmail suit once installed leaves in the user folder:
(documents and settings\user_name\Application Data\GSuit\) creates a
called file 'settings.xml' if we watched within this file we see
several data:

<configuration>
<User>
  <Email>User_name_login</Email>
  <Password>ìóåPassword>
</User>
</configuration>

1 name of user of the account of gmail
2 password codified

somehow password codified has the same length of characters that
password in flat text introduced by the  user to know like decoding as
simple the one whom serious as to pass character through character to
its 128 to him value ASCII(https://www.bbsinc.com/symbol.html) of
reducing and the turn out to watch in table ASCII and we will have the
correct character of password

example:

ì236-128)=108
108 = a

another

á225-128)=97
97=a

ìóå loislane

atentamente:

Lostmon (lostmon(at)gmail.com)

[The full email is still posted over at osvdb, and I make a point to go and look at it and the details once a year or so – just to remind myself of what can happen.]

As I worked through the somewhat iffy English of the email I was in shock. I instantly understood the issue, I could see the code in my mind. It was written by another developer, and I could remember questioning its security – but I had other things I was supposed to be doing and didn’t worry about it. What a mistake that was.

I went back to Visual Studio and found the code that caused it all:

Public Function Crypt(ByVal strText As String) As String
    Dim strTempChar As String, i As Integer
    For i = 1 To Len(strText)
        If Asc(Mid$(strText, i, 1)) < 128 Then
            strTempChar = _
      CType(Asc(Mid$(strText, i, 1)) + 128, String)
        ElseIf Asc(Mid$(strText, i, 1)) > 128 Then
strTempChar =_
      CType(Asc(Mid$(strText, i, 1)) - 128, String)
        End If
        Mid$(strText, i, 1) = _
            Chr(CType(strTempChar, Integer))
    Next i
    Return strText
End Function

Shifting values is obfuscation and little more, it looks like security – it might even smell like security, but it isn’t. It’s a false sense of safety, it was a mistake to implement and even more of a mistake to actually use in a consumer product.

While this is only a local information disclosure, and not something far more serious like a remote arbitrary code execution issue – it was still enough to really shake me. I had always considered myself to be a good developer, and part of that is writing secure code. This was many things – but secure isn’t one of them.

Thankfully, Lostmon, the finder of the issue was courteous enough to give me a couple of days advance notice before making it public. Allowing me plenty of time to get a notice up on the web site, and get the next (fixed) version ready for release. I switched from a glorified Caesar cipher, to Rijndael – a significant step up I would say.

Was anybody harmed by this issue? I don’t believe so – it was a relatively minor issue given what was needed to get the password. Was anybody impacted? Most certainly.

  • Users: They now wonder if they are secure – did somebody steal their information?
  • Company: The brand is weakened, less trusted, and questioned more.
  • Developers: Confidence is lost, self doubts start creeping in.

Because of this, every time I release an application I give much more thought to what I’m exposing and how it could be leveraged in an attack against my users. The only way I’ll agree to an application release is if I’m completely certain that I’m not risking a user’s security – if there are any unknowns, any doubts, then it’s not worth the risk. Just that simple.

Adam Caudill