
Who is accessing your Gmail account? - duck
http://antoniocangiano.com/2010/06/15/who-is-accessing-your-gmail-account
======
andreyf
Am I missing something here? From their website, it looks pretty clear that
Etacts advertises checking your e-mail to remind you to keep in touch with
people. Just like I wouldn't be surprised that Mint.com accesses my bank
account online, this is hardly as outrageous as he makes it seem. Also, wiping
your computer or using 1Password isn't going to stop you from giving your
password to random web apps...

~~~
acangiano
I did specify that the IP address is not clearly associated with Etacts,
though it turns out that it probably is them. However, that's not the point.
My post is an an invitation of sorts to check one's Activity Window, plus my
suggestions in terms of what steps can be taken when an intrusion is
suspected. BTW, the tone of my post was not meant to be outrageous nor
accusatory of Etacts.

> Also, wiping your computer or using 1Password isn't going to stop you from
> giving your password to random web apps...

I'm not incautious with my password in the least. It's generally not hazardous
to sign in with Google elsewhere, provided you trust the site. You can make an
assessment of the risks and benefits of singing in through your Google account
yourself on a site-by-site basis. If you have reason to believe that they've
violated your trust or that a security breach has happened, you can revoke
access (from that site) and change your password (or even decide to be
paranoid and never login elsewhere again).

~~~
drivebyacct
Changing my password that I've given to a website hardly qualifies as
"revoking access". I have no problem using my Google Account as a login
mechanism when it's through oAuth or xAuth or whatever Google is using these
days for that pass through, but the Facebook give-us-your-login-temporarily
style stuff is unacceptable.

~~~
acangiano
Google actually gives you the ability to revoke access. It's under your Google
account settings.

~~~
drivebyacct
Not if you give your username and passwords to websites. I feel like you don't
understand this distinction all up and down this thread...

Also, man, what is the point of DBANing your install? Is software that is no
longer accessible to the OS or likely even any consumer level hardware going
to magically log your keystrokes, I mean make you give your usernames and
passwords to websites and then be surprised that they use them?

~~~
acangiano
>Not if you give your username and passwords to websites. I feel like you
don't understand this distinction all up and down this thread...

I've never given my username and password directly to websites, except for
Etacts. For the other sites, I simply authorized them (through the Google
interface) to access certain functionalities. Behind the scenes Google doesn't
provide them with my password:
[https://www.google.com/support/accounts/bin/answer.py?answer...](https://www.google.com/support/accounts/bin/answer.py?answer=112802)

They also put such sites on a list of that is accessible from your account.
You can remove sites from that list at any time.

> Also, man, what is the point of DBANing your install?

Yeah, that's sort of unrelated. I've been planning a clean install for a
while.

> you give your usernames and passwords to websites and then be surprised that
> they use them?

When THEY use them? No. When someone else does, yes.

Anyway, we have beaten this horse to death many times over.

~~~
drivebyacct
You're giving your password to someone else. You don't magically get some
guarantee that they are safe, that they won't be stolen etc. Yes, I know that
oAuth perms can be revoked, that is the entire point and that's why it's dumb
to give a site your credentials when better alternatives exist.

"I've never given my username and password directly to websites, except for
Etacts." This is all about Etacts right? How do you expect someone to be
accessing your account? You gave them your user and password. The point is,
you hand out your username and password, it just makes you look silly to
suggest that your account is being compromised by covert wifi sniffers (you
_are_ using encryption right?), etc.

I still don't understand why you need to DBAN to do an OS reinstall unless you
are just using the term DBAN loosely.

------
moolave
Why is it that everytime I click on the link, I get a file downloaded? I don't
really want to open it.

~~~
acangiano
My server is having problems.

~~~
epochwolf
Your problem is the page is being gzipped twice. (If you haven't already
figured that out.)

~~~
acangiano
Thanks. The pages were displaying correctly on my machine. However I think
Super Cache compression was partially to blame.

------
surki
Google cache:

[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://antoniocangiano.com/2010/06/15/who-
is-accessing-your-gmail-account/&hl=en&strip=0)

------
jonknee
If you're concerned enough about email privacy that you're going to wipe your
computers for keyloggers, why in the world would you ever grant a SaaS access?
That's just asking for trouble.

~~~
acangiano
I trusted the SaaS applications I signed up with. One of them is used by the
jQuery team, another one has just been acquired by Twitter, and the last one
is a YC startup. I wasn't exactly tossing my password around. When evidence of
a possible intrusion emerged, I revoked access (from those apps) and took
steps to prevent a worst case scenario.

~~~
jonknee
You gave your password to several companies and then freaked out when your
account got accessed and assumed that someone camping outside your house must
have cracked your WiFi connection and decided to wipe your computers while
hardwired into your internet connection... I think Occam's razor applies here
and the account was accessed by someone you gave the password to, though your
paranoia is amusing.

It's pretty simple to keep someone out of your email, don't give anyone the
password.

~~~
acangiano
First, I'm not freaking out, nor am I paranoid. I clearly stated that I
believe that the most likely explanation is to be found with the reputable
applications I granted access to.

Of course if I suspect an intrusion, I'm going to ensure that proper action is
taken to cover all of my bases. I was planning a cleanup of my laptop anyway,
so I may as well do it now.

Don't read too much into my changing the password on a wired desktop. It was
one of the computers at hand, so I went with the most secure option, however
unlikely it may be to make a difference (doing so didn't require any extra
effort on my part).

> It's pretty simple to keep someone out of your email, don't give anyone the
> password.

This will be a moot point when Google will implement OAuth for IMAP.

PS: At this point, I believe it was a legitimate access by Etacts.

------
notaddicted
I did a traceroute on the IP address he posted, and on all the websites he
suspects. All signs point to etacts.

<http://pastebin.com/TSKYCW6B>

(also posted [EDIT: unsucessfully-attempted-to] this on the blog.)

------
maigret
At least the Gmail access overview is a nice feature, far from being universal
for all webmail providers. Every provider should have it.

~~~
yanw
They've also recently added suspicious activity alerts depending of geographic
regions which I though was a nice touch:
[http://gmailblog.blogspot.com/2010/03/detecting-
suspicious-a...](http://gmailblog.blogspot.com/2010/03/detecting-suspicious-
account-activity.html)

~~~
David
A very nice touch. About a month ago, I got an alert that my account had been
accessed from China... Never would have known I was at risk otherwise.

------
ottbot
Interesting, I had a look at the tool after reading this and have activity
from the same IP address mentioned in the article.

Update: I have also Etacts with enabled access. I had completely forgotten
about them.

~~~
acangiano
I'm afraid this is common. We better find out what the heck is going on with
that IP. I've enquired with Slicehost about it, and we'll see if they get back
to us.

~~~
snitko
I have the SliceHost ip in the list of recent activity too. Let's find out.

~~~
acangiano
It's confirmed, it was Etacts. I will post a follow-up as soon as I manage to
make the site run smoothly.

------
cominatchu
This was Etacts. We responded to Antonio's support email this morning within a
few minutes of its arrival to let him know the IP address in question belongs
to us. We are talking about ways now to prevent this type of confusion from
happening in the future.

------
fierarul
So after you are giving you email password to external websites you need to
watch the Gmail Account Activity for suspicious access?

~~~
acangiano
Correct. That's a reasonable thing to do. You sign up with a service you trust
because it's convenient and useful to you (e.g., Etacts), and then you make
sure that your trust isn't abused.

You do the same with your credit card whenever you purchased from a site or in
a store. You trust them, but then verify that you are not being screwed over.

~~~
fierarul
Actually the correct thing would be not to give your email password to 3rd
party website especially if you know will panic afterwards for every strange
IP you'll see in your logs.

The credit card comparison doesn't really make sense as credit cards were
especially designed to be used the way we use them.

Email accounts haven't been designed to be used in such a fashion as to allow
3rd party applications access them. Especially not the kind of email services
where you don't have access to the server / firewall. What Google is providing
is a nice thing but you only get the see the last 10 entries or so. What
happens when you go on vacation ? What happens if you use some other email
provider ?

My point is that the main conclusion of your blog post should be about how you
control this but how you should avoid doing this in the first place.

------
10ren
For the last week or so, I've had a bunch of "Delivery to the following
recipient failed permanently:" emails, for email that was apparently sent from
my gmail account - I assumed that someone started using my return address for
their spam. At about that time, gmail asked me to sign in with a CAPTCHA - I
assumed that google had just added that.

I use an older (faster) version of gmail on my (slower) netbook, which doesn't
have the "account activity" link. After reading this article, I switched
versions and checked: 6 days ago, there was an alert about an access from
China with this IP: 116.30.36.239

The emails in question have stopped for the last couple of days. It seems that
google automatically detected and solved the problem, without me even being
aware of it. Good google.

~~~
TallGuyShort
Did you check your 'sent' folder, by any chance? If there are copies of the
emails there, then most likely they simply accessed your account directly with
your password - which is much more concerning (albeit easy to fix by changing
all your passwords)

~~~
10ren
Whoa, thanks, I should thought of that! They sent one on the day of the access
(10 June).

There are 17 other potential ones, but I had moved them to my spam folder, so
I can't tell where they came from originally. Looking closer, the first email
in each chain seems to come from my account, but they are spread over several
days, not just the day of the access.

Unfortunately, they could have potentially accessed any other services whose
"forgotten password" emails go to this one, and then deleted the replies. But
it looks like an automated spam attack.

When I realized today, I now logged out all other users (there didn't seem to
be any) and changed my password. Maybe I should check all my linked accounts.

 _EDIT_ The header of their email has:

    
    
        Received: from PC-201004061503 ([116.30.36.239])
    

Where that IP is the hacker's IP. Comparing with mail I've sent, the Received
line includes my IP and "with HTTP". So it looks like they weren't using the
web interface, but some direct one (IMAP? POP3?). If they're a spammer, it
would be automated. BTW their emails all had the same content, most of them
with the subject " 请在这里编辑主题...", which I'm guessing is "buy viagra" in
Chinese.

~~~
hboon
No, it says "write subject here".

~~~
10ren
thanks!

------
snitko
The site is down. Summary, anyone?

~~~
acangiano
It should be back up and running soon. You'd think 1GB of RAM would be enough
to handle a few thousand hits to serve a static page.

EDIT: The server is still having issues.

~~~
patio11
Hello, fellow Apache user! You may wish to look into Nginx. My Japanese toilet
seat practically has enough memory on it to serve all my business needs.

One of these days I have to migrate all of my Apache-hosted Wordpress blogs to
Nginx.

~~~
steve19
" You may wish to look into Nginx"

I second this. For years I tried to tame the beast that is Apache. After
switching to nginx I could not be happier.

------
Groxx
_I verified that there were no messages sent on my behalf._

How can this be verified, given that sent messages can be deleted as well?

------
jeff18
Is it just me or does Gmail only show you the past 24 hours of activity?

