Security Market Segment LS
Tuesday, 10 April 2018 08:53

Gmail's 'dots don't matter' feature can lead to phishing

By

An obscure feature in Gmail, where the dots in the first bit of an email address do not matter, can be used to scam users from a site like Netflix where the dots do matter, a software engineer in the UK says.

James Fisher wrote about his personal experience, pointing out that while he used the Gmail address jameshfisher@, people who sent him email with full-stops anywhere in that handle could reach him. For example, james.hfisher@ would also get to his mailbox.

When he received an email from Netflix in February, telling him that his account was on hold due to his credit card being declined, he was surprised. But on going to the Update page for the account, he noticed that the card number which was listed as being declined did not match his – the last four digits were different.

Fisher then had a closer look at the email he had received and noticed that it was addressed to james.hfisher@. Given that Gmail considers that the dots do not matter, the email had not bounced.

Someone had signed up for Netflix using this email address, but given that he also had access to it, he was able to change the password and see the profile of the person in question, who appeared to be based in Huntsville, Alabama.

Fisher reasoned that there were two possibilities: one, this was one of the 12 genuine James Fishers living in Alabama who had typed in his email address wrong when signing up for Netflix. Netflix, it must be noted, does not check if an email address is valid before allowing someone who signs up to start watching films.

The second possibility was that someone had done this deliberately, in the hope that Fisher would automatically update the card details on the Update page – and end up paying for this unknown person to watch films free.

Fisher outlined the way this could be done:

  • Hammer the Netflix sign-up form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.
  • Create a Netflix account with address james.hfisher.
  • Sign up for free trial with a throwaway card number.
  • After Netflix applies the “active card check”, cancel the card.
  • Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
  • Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.
  • Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.
  • Use Netflix free forever with Jim’s card **** 1234!

As to where the security flaw lay, Fisher said: "Some would say it’s Netflix’s fault; that Netflix should verify the email address on sign-up. But using someone else’s address on sign-up only cedes control of the account to that person.

"Others would say that Netflix should disallow the registration of james.hfisher@gmail.com, but this would force Netflix and every other website to have insider knowledge of Gmail’s canonicalisation algorithm."

He concluded that the fault lay with Gmail because, "The scam fundamentally relies on the Gmail user responding to an email with the assumption that it was sent to their canonical address, and not to some other address from their infinite address set."

"The Gmail team should combat this kind of phishing," Fisher wrote. "They should officially acknowledge that dots-don’t-matter is a misfeature. Indeed, the Gmail team admitted that dots-don’t-matter is 'confusing' way back when they announced the feature in 2008).

"Each Google account should have one variant configured as its standard address; I would set jameshfisher@gmail.com as standard, and maybe John would set john.smith@gmail.com as standard. If an email is sent to a non-standard address, it should be shown with a warning (similar to that below):

warning

He suggested that Gmail users should be able to opt out of dots-don’t-matter if they so wished.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments