James Fisher wrote about his personal experience, pointing out that while he used the Gmail address jameshfisher@, people who sent him email with full-stops anywhere in that handle could reach him. For example, james.hfisher@ would also get to his mailbox.
When he received an email from Netflix in February, telling him that his account was on hold due to his credit card being declined, he was surprised. But on going to the Update page for the account, he noticed that the card number which was listed as being declined did not match his – the last four digits were different.
Fisher then had a closer look at the email he had received and noticed that it was addressed to james.hfisher@. Given that Gmail considers that the dots do not matter, the email had not bounced.
Fisher reasoned that there were two possibilities: one, this was one of the 12 genuine James Fishers living in Alabama who had typed in his email address wrong when signing up for Netflix. Netflix, it must be noted, does not check if an email address is valid before allowing someone who signs up to start watching films.
The second possibility was that someone had done this deliberately, in the hope that Fisher would automatically update the card details on the Update page – and end up paying for this unknown person to watch films free.
Fisher outlined the way this could be done:
- Hammer the Netflix sign-up form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.
- Create a Netflix account with address james.hfisher.
- Sign up for free trial with a throwaway card number.
- After Netflix applies the “active card check”, cancel the card.
- Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
- Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.
- Change the email for the Netflix account to email@example.com, kicking Jim’s access to this account.
- Use Netflix free forever with Jim’s card **** 1234!
As to where the security flaw lay, Fisher said: "Some would say it’s Netflix’s fault; that Netflix should verify the email address on sign-up. But using someone else’s address on sign-up only cedes control of the account to that person.
"Others would say that Netflix should disallow the registration of firstname.lastname@example.org, but this would force Netflix and every other website to have insider knowledge of Gmail’s canonicalisation algorithm."
He concluded that the fault lay with Gmail because, "The scam fundamentally relies on the Gmail user responding to an email with the assumption that it was sent to their canonical address, and not to some other address from their infinite address set."
"The Gmail team should combat this kind of phishing," Fisher wrote. "They should officially acknowledge that dots-don’t-matter is a misfeature. Indeed, the Gmail team admitted that dots-don’t-matter is 'confusing' way back when they announced the feature in 2008).
"Each Google account should have one variant configured as its standard address; I would set email@example.com as standard, and maybe John would set firstname.lastname@example.org as standard. If an email is sent to a non-standard address, it should be shown with a warning (similar to that below):
He suggested that Gmail users should be able to opt out of dots-don’t-matter if they so wished.