Gmail is secure. Netflix is secure. Together they're a phishing threat
Google doesn't recognise dots in email addresses, which creates an opportunity for evil
A developer has discovered that Gmail's email handling creates a handy phishing vector to attack Netflix customers.
The problem is that Netflix, like most systems, recognises dots in e-mail handles (so richardchirgwin and richard.chirgwin are different accounts) – but Gmail does not.
Over the weekend, developer James Fisher described his experience here: he received a legitimate e-mail from Netflix addressed to firstname.lastname@example.org that Gmail helpfully redirected to his dotless account.
Geniune in almost every way: the e-mail Fisher received
Since the e-mail arrived to the correct inbox, and since it genuinely came from Netflix, Fisher came close to accepting its request that he update his details – except that he didn't recognise the credit card attached to the “dotted” account.
This, Fisher wrote, creates the phishing vector: if an attacker tried hard enough, they would find a Netflix account whose Gmail registration already exists, and can register another account with an extra dot in the Gmail address.
If the attacker signed up with a “throwaway” card number, and then cancelled the card, Netflix would email the “real” Gmail account-holder asking for a valid card. It only needs the recipient to do so without noticing a discrepancy, and the attacker has tricked someone into paying for their streaming.
Security luminary Bruce Schneier commented that the problem is subtle: “It's an example of two systems without a security vulnerability coming together to create a security vulnerability.”
Fisher suggested two possible fixes: Google could warn a Gmail user prominently that an e-mail was sent to a “non-standard” address, and should let users opt-out of the “dots don't matter” feature.
He added that he believes the feature should be retired. Google, however, has promoted it as a useful feature. ®