G-Archiver, the software that was previously caught by coding horror and blogged about here has pulled the version of the software that captures user credentials and e-mails them to Google. From the time it was discovered by Coding Horror on the 7th through to this morning when the tainted version was pulled is about 5 days.
While not bad for a company to respond in five days, the reason that the code was there in the first place was that this was debug code.
This debug code should ever have passed any form of internal QA.
Let alone using a G-mail account as a debug system further calls the “debug story” into doubt. I have never known a company to use g-mail for debugging purposes on a chunk of stand alone software. While G-Archiver does work with Google, the story just does not ring true, you don’t copy and capture user login’s and send them to g-mail as a debug process.
This read more like damage control than anything else. Which is valuable to do, you want to do damage control, the problem is that all this passed QA, and it took an outside researcher to catch the issue. It is like they never went back and asked themselves, “did I remove all the debug code”.
There will probably be more on this one. In the longer run though, never trust software. If you have to trust software, check it out in house, Google search for it, and find out as many flaws as possible before you go and download it.