Cloudsweeper’s Gmail Security Audit Is Alarming and Useful

How much is your e-mail worth to a bad guy?

  • Share
  • Read Later
Harry McCracken / TIMEcom

When I learned–via Ryan Whatwam of–that researchers at the University of Illinois at Chicago’s Computer Science Lab had created a tool which can tell Gmail users how much their accounts are worth to a hacker, I immediately gave it a whirl. Twice, actually–once with a Gmail account I use for business stuff, once with my personal one. And I discovered that someone who broke into my accounts could theoretically make $5.30 from my business account and $28.30 from the personal one.

How so? A bad guy who has access to your e-mail can get into your other accounts, including social networking ones such as Facebook; e-commerce companies like Apple and Amazon; and a whole lot more. In some cases, access to your e-mail is the only thing the bad guy needs to “recover” your passwords for other services and thereby compromise them. Sometimes, other personal information is required for verification. But in either case, a hacker who manages to break into your accounts can sell information about them on the black market.

For instance, Cloudsweeper estimates that an Amazon account is worth $15, a Apple iTunes account $8 and a Facebook account $5. The auditing process scours your e-mail to determine which services are associated with it, then tallies the potential damage.

Another Cloudsweeper audit tells you about cleartext passwords in your Gmail–ones which are sitting right there in your inbox, unencrypted. Sending them that way is always a terrible idea, since they’re at risk to theft along the way and are especially vulnerable if someone manages to snoop around in your mail. Once Cloudsweeper has found such passwords, it offers to encrypt them for you or simply delete them from the messages in question.

When I tried this audit, there were a fair number of false positives: Cloudsweeper gets confused by text such as “No password is required” in e-mail bodies. But it also found several instances of well-known companies sending me my passwords–ones I most definitely want to keep secret–without taking any steps to secure them.

Cloudsweeper provides tips about securing your Gmail, including the single most sensible one of all: Use two-factor authentication. And its creators let the folks who audit their Gmail opt into allowing their data to be used, anonymously, as part of a study on reuse of passwords. In the end, the part about telling you how much a hacker could make off your account is a bit of a gimmick–but the whole exercise is a useful reminder that if your e-mail isn’t secure, neither is your online life.

Cloudsweeper [ via]