Obscure E-Mail Vulnerability
This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so bruce.schneier@gmail.com is the same as bruceschneier@gmail.com is the same as b.r.u.c.e.schneier@gmail.com. (Note: I do not own any of those email addresses—if they’re even valid.) Netflix doesn’t ignore dots, so those are all unique e-mail addresses and can each be used to register an account. This difference can be exploited.
I was almost fooled into perpetually paying for Eve’s Netflix access, and only paused because I didn’t recognize the declined card. More generally, the phishing scam here is:
- Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.
- Create a Netflix account with address james.hfisher.
- Sign up for free trial with a throwaway card number.
- After Netflix applies the “active card check”, cancel the card.
- Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
- Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.
- Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.
- Use Netflix free forever with Jim’s card **** 1234!
Obscure, yes? A problem, yes?
James Fisher, who wrote the post, argues that it’s Google’s fault. Ignoring dots might give people an enormous number of different email addresses, but it’s not a feature that people actually want. And as long as other sites don’t follow Google’s lead, these sorts of problems are possible.
I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who—if anyone—has the responsibility of fixing it.
Erik • April 9, 2018 6:47 AM
I have encountered the Stupid User Trick version of this problem with gmail.
There is a person whose work email address is apparently “w.essing@” whatever the domain is.
Mr. Essing routinely gives out “w.essing” as his personal gmail address.
Without the dot, that’s my gmail address.
Al his correspondence is in German, too, which I do not speak or read.