Gmail is secure. Netflix is secure. Together they're a phishing threat

Google doesn't recognise dots in email addresses, which creates an opportunity for evil

A developer has discovered that Gmail's email handling creates a handy phishing vector to attack Netflix customers.

The problem is that Netflix, like most systems, recognises dots in e-mail handles (so richardchirgwin and richard.chirgwin are different accounts) – but Gmail does not.

Over the weekend, developer James Fisher described his experience here: he received a legitimate e-mail from Netflix addressed to james.hfisher@gmail.com that Gmail helpfully redirected to his dotless account.

Email from Netflix to James Fisher

Geniune in almost every way: the e-mail Fisher received

Since the e-mail arrived to the correct inbox, and since it genuinely came from Netflix, Fisher came close to accepting its request that he update his details – except that he didn't recognise the credit card attached to the “dotted” account.

This, Fisher wrote, creates the phishing vector: if an attacker tried hard enough, they would find a Netflix account whose Gmail registration already exists, and can register another account with an extra dot in the Gmail address.

If the attacker signed up with a “throwaway” card number, and then cancelled the card, Netflix would email the “real” Gmail account-holder asking for a valid card. It only needs the recipient to do so without noticing a discrepancy, and the attacker has tricked someone into paying for their streaming.

Security luminary Bruce Schneier commented that the problem is subtle: “It's an example of two systems without a security vulnerability coming together to create a security vulnerability.”

Fisher suggested two possible fixes: Google could warn a Gmail user prominently that an e-mail was sent to a “non-standard” address, and should let users opt-out of the “dots don't matter” feature.

He added that he believes the feature should be retired. Google, however, has promoted it as a useful feature. ®




Biting the hand that feeds IT © 1998–2018