back to article Gmail is secure. Netflix is secure. Together they're a phishing threat

A developer has discovered that Gmail's email handling creates a handy phishing vector to attack Netflix customers. The problem is that Netflix, like most systems, recognises dots in e-mail handles (so richardchirgwin and richard.chirgwin are different accounts) – but Gmail does not. Over the weekend, developer James Fisher …

Page:

  1. Anonymous Coward
    Anonymous Coward

    This has happened to me for years

    But with Amazon. Sometimes I cancel her parcels.

    1. Lee D Silver badge

      Re: This has happened to me for years

      Yeah, I have a guy with the same name in Ireland who's somehow convinced that he has a variation of my email address.

      One year I managed to get a postal address off a plane ticket he bought and sent him a letter. He was very good for a while, and wrote a nice letter back and closed a bunch of accounts (including PayPal - I could have been very naughty and "confirmed" his account and then waited for him to add a credit card, but I'm far too honest). But then either he or another person in Ireland with the same name started doing it again about six months later.

      I now just put them in spam folders. Fact is, it's more tricky to convince me anyway as I have a domain that forwards to various things (one destination is a GMail that I can access on the go), but for which I use unique prefixes for each service. It's quite obvious and takes seconds to know if an email was sent to the actual prefix I signed up with, to some made-up prefix at my domain, or direct to the GMail account. Pretty much anything direct to the account is spam (I've never advertised that address whatsoever).

      I always wondered what the point of the dot-address stuff was on GMail as I could only think of ways for it to go wrong. On a side-note, does anyone remember the Apache mod_spell module, that would try to correct mis-spelled page names? That always seemed the same to me... surely it just lets a ton of mis-spelled links propagate all over the web rather than actually fix the problem.

      1. Dave 126 Silver badge

        Re: This has happened to me for years

        I use the dot in my Gmail address. Say I'm signing up to a website, I might use j.oebloggs@gmail instead of joebloggs. If that website passes on my address and results in spoof mail, I can more easily block it. It's handy because not everyone site accepts a plus sign in the email field so I can't always use joebloggs+netflicks@gmail.com

        1. John Brown (no body) Silver badge

          Re: This has happened to me for years

          "It's handy because not everyone site accepts a plus sign in the email field so I can't always use joebloggs+netflicks@gmail.com"

          Conversely, a dot IS a valid part of an email address so Google ignoring it is just wrong.

          1. Medical Cynic

            Re: This has happened to me for years

            If you can create a filter about dots, as the linked article says you can with plus signs, it would be worth setting this up to add a red label as a warning.

      2. CrazyOldCatMan Silver badge

        Re: This has happened to me for years

        he has a variation of my email address

        This is one of the positive benefits of owning my own domain and running my own server - I control absolutely who gets an email address and what format it is.

        Of course there is a downside - having a catchall address also means what little spam gets through my firewall ends up in my address (which can also be useful - I can use variants of my email address for specific vendors so I'll know who has been abusing my emails..).

        1. Trixr

          Re: This has happened to me for years

          I have to say that operating a catchall address in this day and age is really a liability and not an asset. Unless of course you're maintainer of some RBL.

          If you want to know who's trying to spam you, you simply look at the mail log and the rejected messages.

          If you're using it as a honeypot to construct some kind of home-baked RBL, then just subscribe to Spamhaus Zen. Their database is orders of magnitude bigger than anything a little home domain will encounter... and is therefore much more useful if some exploit is in the wild. It's free for a host processing less than 100,000 SMTP connections per day. I used it for my medium-sized organisation (5000 mailboxes) until they made us get crappy Ironport. Like any RBL, the rejected connections are clearly logged in the mail log.

          If you're operating a catch-all to capture misspellings of your email address(es), simply set up a catch-all that's aliased only with the likely misspellings.

      3. littlesmith

        Re: This has happened to me for years

        Google (as well as the infamous mod_spell) ignores two basic rules of good software development:

        1. Never fix user input!

        2. If the customer insists on breaking the first rule, then let the software inform the user about the fix and let the user confirm the fix!

        Fixing user input silently is very wrong. There are so many reasons for wrong user input: Typos, wrong information, fraud etc. If a software fixes it without informing the user, the user has no chance to find out hat something is wrong.

        I don't use Gmail, so I was quite surprised that they do such a stupid thing. I thought in 2018 every software engineer should have learned that at university...

        BR

        littlesmith

    2. Martin Summers Silver badge

      Re: This has happened to me for years

      I'm in contact with around 3 or so namesakes I get email for including one in my home town. I've had property rental statements, mortgage application details house sale agreements, job contracts. I even got something rather important that I could have digitally signed for and caused all kinds of issues. Quite a lot of the time the companies they are using have assumed my namesakes have made a mistake in the email address they've given and corrected it to mine off their own back. I am however nice and let people know of their mistake. I even forward email on to one guy in the US, trouble is when I used to send myself an email to remind myself of things (stopped doing that a long while ago), he was in my autocomplete and I sent him my private stuff a couple of times!

      I've used the dot in my email address for services that point blank refuse to allow me to use my original email address as they have it on file but no password reset mechanism. I find it quite useful so I hope it's not retired.

      1. Professor Clifton Shallot

        Re: This has happened to me for years

        > I've had property rental statements, mortgage application details

        > house sale agreements, job contracts.

        Same.

        It turns out that a lot of people have a firstname.lastname that is the same as the single name on a gmail account I use - and it seems plenty of them are handing out the wrong address or friends and family are misremembering / guessing wrongly.

        I was copied into one conversation involving organising, and paying for tickets to a group trip to an event at the Sydney Opera house that in total gave me a perfect little identity theft kit overnight.

        I've had very many opportunities to activate post-sale services for someone in California who bought a posh car. And for someone on the East Coast who bought a much less posh one.

        There have been plenty of invites to things that sounded like a lot of fun but were happening on the wrong continent and more than a few pieces of very personal news.

        It's not really much of an inconvenience for me but I suspect some of the intended recipients would really rather it did't work the way it does.

    3. Sorry that handle is already taken. Silver badge

      Re: This has happened to me for years

      I am constantly receiving emails intended for multiple people with the same name as me. I even called one on the phone to warn them, but I think that just freaked them out.

  2. Anonymous Coward
    Anonymous Coward

    Google ignore dots in email addresses? Why? It's bound to cause problems like this.

    Am I right in thinking that this is not a widely understood feature?

    1. Anonymous Coward
      Anonymous Coward

      IIRC it says on the registration form.

      1. Anonymous Coward
        Anonymous Coward

        IIRC it says on the registration form.

        Well, that depends on when one registered a gmail address (like, a long time ago). It's also exactly the kind of thing most people will forget. It's also very non-standard. And who actually reads that crap in the first place?

        1. Anonymous Coward
          Anonymous Coward

          Well...DUH!

          Also, why havent folks complained about ignoring the + you can put at the end of your gmail address?

          So yournamehere+whatanumpty@gmail.com would work just as well as your.name.here@gmail.com

          WHY OH WHY OH WHY do f**ktards like to moan about features that have been around since day 1 ???

          Cant the commentards just keep them.selves to themselves.... ???

          Sure, this is something to be aware of, but hey - dont go blaming google becuase you are a numpty that doesnt understand the service you are using FOR FREE.....

    2. Amos1

      Why should punctuation in a name indicate a different person any more than it does in real life?

      "John Doe Jr" is the same as "John Doe Jr." in real life. "John J Doe is the same on any legal document as "John J. Doe".

      Treating punctuation differently in email addresses is no different than typo-squatting a domain name except it's less obvious.

      Gmail has been this way for years and other sites should follow their example on all new email addresses. We know what evil lurks on the Internet so let's close off the easy methods rather than relying on Grandma seeing that tiny dot in her email address which she never looks at anyway.

      1. Jediben

        Re: Why should punctuation in a name indicate a different person any more than it does in real life?

        It's not a different person, it's a different location. Works for other things too.

        Would you prefer your holiday destination to be 27.3c or 273c?

      2. tip pc Silver badge
        FAIL

        Re: Why should punctuation in a name indicate a different person any more than it does in real life?

        "rather than relying on Grandma seeing that tiny dot in her email address which she never looks at anyway.

        most email clients hide the actual email address that is being sent to so there is little chance to spot the mistake. The thing is though, it should not matter if someone changes their email address to yours post sign up as an email should be sent stating "you've changed your email address to this, click here to confirm. If you've not changed your address then ignore this email" or some words along those lines. When the link is clicked, the user should have to then enter their account username and password before the change is confirmed. If someone is trying to spoof or phish you into something, not having the password will stop the email change to look like yours. in order to login and add a CC will require a password reset and the scammer won't have it and won't be able to reset it as the reset email will go to you. you may end up with 2 netflix accounts, but thats easily refundable by netflix as why would you have to accounts with similar email addresses?

        This is all FUD and aimed at Netflix for the person who claims this story happened to them to gain some column inches.

        This is easily verifiable by anyone changing the email address of their Netflix or other reputable online service/retailer. There are established rules and procedures around doing this thing, any auditor will check for.

        1. HugoToledoUSA

          Re: Why should punctuation in a name indicate a different person any more than it does in real life?

          I don't think you understand the attack. You create a previously non-existant account on Netflix, which is given the dotted email address. When the legitimate Netflix user gets the message, they are able to change the card details. Some (admittedly small) percentage of folks will do just that, allowing the fake user to get Netflix for free.

    3. ThomH

      Re: 'why', I would assume it's from a zealous reading of RFC 2822; in its grammar a dot is defined as a separator but a separator has no defined lexical meaning for the local part of an address. A server can do whatever it wants — to the extent that 2822's predecessor, 822, received an official amendment to clarify that the local part should not be modified when forwarding messages. Prior to that it was valid for server A to remove or add dots as it felt fit, then pass that along to server B assuming it made no difference there either.

  3. Anonymous Coward
    Anonymous Coward

    Although...

    To be clear, Google *no longer allow you* to register an account that exists, but with extra dots. But *they used to*. So the bug in the original article isn't quite accurate; you can't go creating accounts. But there are a subset of existing accounts that have alternates.

    1. Anonymous Coward
      Anonymous Coward

      Re: Although...

      I think it is more complicated than that; if I send an email to an account that I KNOW exists - exactly the same as my account, but with no ".", gmail sends it to that account; but if someone in certain parts of the world (southern US for certain), sends to that address, I get their email.

      This has only been happening to me for a couple of years, and I have had this email address since we had to call it "googlemail.co.uk".

      I have told a certain US car dealership about this bug MANY times, but they keep asking me to take my car in for a service.

      1. John 110

        Re: Although...

        It's good to know I'm not alone, although I put it down to carelessness on the part of someone giving their email address. These days I just delete the emails, but I have been known to report them to abuse@ whoever sent them, and once I went the extra mile to inform a doctor's practise in California that their patient was never going to turn up for surgery... (That was hard, due to a reluctance on the part of the practise to put any contact details on the website that didn't need logged in to, and I wasn't going to phone them)

        1. Marcelo Rodrigues

          Re: Although...

          "and once I went the extra mile to inform a doctor's practise in California that their patient was never going to turn up for surgery... "

          I did it too! They didn't stop trying to contact the "other me"

      2. Shadow Systems

        At Ian Emery, re: car dealer...

        I've had fun in a similar situation.

        I kept getting accidental/incorrectly addressed email to me but for someone located in the UK. I replied to the dealer that I wasn't the right person, that my email was used in error, & to please remove it from their records. They were either too inept or lazy to scrub it, so the next time one came in from them I decided to have a bit of fun.

        I replied "Sure you can service my car. Please send a towtruck & a temporary vehicle for me to drive while you have mine in the shop." They agreed (evidently the other person had bought a rather expensive car & the dealership figured they could soak the fool) & asked me to confirm the address to which they would send them. I sent them the Google Maps coordinates. They replied "That can't be correct, that's not even in the UK!" To which I replied back "No shit. Neither am I. But since you can't be fuckin' arsed to fix your fuckin' records then you've already agreed to send a tow & a temp car. When whill they arrive?"

        They never sent me another email.

        *Cackle*

        I tried to be polite about it, I tried to do the right thing, but when the other party refuses to act accordingly... It's time to fuck with their heads!

    2. Maverick

      Re: Although...

      I have this a lady on the West Coast of 'merica registered with one dot not two, make easy to spot as my first name becomes a female name. Gmail filtering also helps but why the heck they designed it that way is beyond me, also not have Netflix is a BIG plus from every angle ;)

    3. Anonymous Coward
      Anonymous Coward

      Re: Although...

      Er, I think the point is that Netflix do distinguish between agmailuser@gmail.com and a.gmail.user@gmail.com. To Netflix, they're different addresses, so different accounts. Google don't make a distinction.

      So if you learned that someone with the address agmailuser@gmail.com had a netflix account, you can have an account on netflix under the name a.gmail.user@gmail.com. Emails sent to a.gmail.user will actually arrive in agmailuser's inbox. If they're not paying attention, phish!

      Effectively Google have given gmail users an infinite variety of email addresses, meaning that it's possible for literally everyone else on the planet to cybersquat on their identity on all other services on the planet. If you are a gmail user, and you have an account on, say, Netflix and want to prevent anyone else taking out an account in your name you'd have to also take out accounts in the name of a.g.m.a.i.l.u.s.e.r@gmail.com (and every combination of letters and dots in your email address), plus all combinations of agmailuser+<insert any string here>@gmail.com. Clearly that's not possible.

      Google's "handy feature" is stupid.

      1. Szymon Kosecki

        Re: Although...

        It does not allow squatting as every such email address would still get delivered to your mailbox. It actually prevents squatting because of that.

        1. Anonymous Coward
          Anonymous Coward

          Re: Although...

          It does not allow squatting as every such email address would still get delivered to your mailbox. It actually prevents squatting because of that.

          No it doesn't. It requires you to spot and deal with emails that no one else on the planet is expecting you to receive. You make one single mistake doing that, it could cost you money and they're squatting. You can't even correct your mistake because they have the password for that account on that service, not you.

          No one but Google (not Netflix, the police, the courts, the banks, etc) considers agmailuser@gmail.com to be the same person as a.gmail.user@gmail.com.

          1. D@v3

            Re: They have the password.

            They do, but a couple of times i have received emails from services i have never heard of, so i go in, have 'forgotten my password', reset link gets sent to my email, i now own the account.

            1. Anonymous Coward
              Anonymous Coward

              Re: They have the password.

              @D@v3,

              They do, but a couple of times i have received emails from services i have never heard of, so i go in, have 'forgotten my password', reset link gets sent to my email, i now own the account.

              That's all well and good, but you may also have taken on legal responsibility for the account. That might come along with all sorts of liabilities, which might include (depending on the service provider and what is being provided) debt, criminal prosecution, ownership of some difficult-to-explain-in-front-of-a-judge content, etc. Trying to protest "but that's not my real email address" when, clearly, it is (and Google are also saying it is) sounds like a bad day to me.

              On the whole, not a good idea I think.

          2. MonkeyCee

            Re: Although...

            "You make one single mistake doing that, it could cost you money and they're squatting. You can't even correct your mistake because they have the password for that account on that service, not you."

            Lack of joined up thinking there AC.

            If you don't have a password, you can't load a CC.

            If you do have a password, the spoofers don't.

            If you have a problem, you contact netflix, and seeing as you control a) the contact email address and b) the credit card, I fail to see how you can't cancel the payment.

            Unless there's some method of inputting the CC into an unsecured form.

            "No one but Google (not Netflix, the police, the courts, the banks, etc) considers agmailuser@gmail.com to be the same person as a.gmail.user@gmail.com."

            They consider them to be separate email addresses. A person can clearly have more than one address. More than one person have access to an email address. In fact there is no direct relationship between natural persons and email addresses.

            Personally I find it quite handy, but I have some 40+ email addresses being delivered to the same gmail account. Luckily it's yet to confuse the police, courts or the bank, all of whom use such boring things as a physical address or phone number when they really want to get hold of me, rather than email.

          3. mmccul

            Re: Although...

            Well, RFC 822 section 6.2.4 seems to disagree with you.

            1. Oliver P

              Re: Although...

              mmccul, I think you have misread RFC 822 section 6.2.4. It says, 'This specification treats periods (".") as lexical separators.' It says that the effect of these lexical separators is to divide the name of the mailbox and turn it into a sequence of tokens.

              Dividing a string in different places will yield distinct sequences. Note that the sequence ("a", "b"), which is a sequence of length 2, is a distinct sequence from the sequence ("ab"), which is a sequence of length 1.

      2. MOH

        Re: Although...

        I'm normally the first to hate on Google, but I don't see how is this their fault?

        It sounds as though Netflix are allowing people to register accounts with email addresses without bothering to validate that they have access to those addresses?

        That's insanely irresponsible, if that is actually the case. I hope I've misunderstood something.

        1. imanidiot Silver badge

          Re: Although...

          It's actually the other way around from what you are thinking. If YOU are registered to these services with a "dotted" email address, then someone can steal the account by creating an undotted email and then getting all of YOUR email. Including account password reset emails. Good luck getting your account back.

      3. tip pc Silver badge

        Re: Although...

        "If you are a gmail user, and you have an account on, say, Netflix and want to prevent anyone else taking out an account in your name you'd have to also take out accounts in the name of a.g.m.a.i.l.u.s.e.r@gmail.com (and every combination of letters and dots in your email address), plus all combinations of agmailuser+<insert any string here>@gmail.com. Clearly that's not possible.

        Google's "handy feature" is stupid."

        Do netflix and others not require the email account to be confirmed via some unique link before the account is activated?

        Yes someone could setup the account but they will never see any correspondence and the dotless account owner would be notified.

        I have seen that some sites are aware of googles dotless addressing and will strip the dot when checking for existing accounts and bleet if they have an existing account regardless of where or how many dots where entered in the submission. Its not a difficult regex to write to validate & sanitise the input prior to db lookup.

        This is nothing but a subtle fishing attack and will catch out those who are click happy, but is easily fixed by netflix, with no need for Google to disable what is a useful feature for some.

  4. Stuart Moore

    email verification?

    Does Netflix not require some kind of email verification? I can't see how this would work without the scammer first getting the mark to tell Netflix this is a valid email address

    1. Eddy Ito

      Re: email verification?

      Exactly this. Why is there a difference between someone registering for Netflix using the "actual" email address of say gmailuser@gmail.com and the "spoofed" dotted address g.mail.user@gmail.com if both addresses go to the same mailbox? Years ago I'd received several emails from Sony's Playstation online whatever it is asking about my account so I simply went online, reset the password, and closed the account. Note, the "attacker" didn't actually use dots, they simply signed up with my email address. Having said that, like someone mentioned in another thread, I use the dots to detect when someone is selling my address so I can point it out to them when I end my business relationship with them.

      I submit the premise of the headline "Netflix is secure" is false if they aren't validating email addresses at the time someone signs up.

  5. JAK 1

    Re: Will it really make any differece?

    When you setup an account with Netflix they will email you to check the address is valid

    If you receive an email saying, Welcome to Netflix click here if you've just joined

    don't click the email

    1. Simon Harris

      Re: Will it really make any differece?

      Is it possible to trick this?

      Sign up to Netflix with a throwaway email.

      Netflix sends the signup confirmation there.

      Do the confirmation on that address.

      Log in to the Netflix website using the throwaway address.

      Go to account settings and change the email address to a dotted-variant of that of your mark.

      That way your mark never sees the signup confirmation.

      1. MonkeyCee

        Re: Will it really make any differece?

        "Log in to the Netflix website using the throwaway address.

        Go to account settings and change the email address to a dotted-variant of that of your mark.

        That way your mark never sees the signup confirmation."

        But they do get the "you've changed your email to this one" message. Which should raise alarm bells.

      2. tip pc Silver badge

        Re: Will it really make any differece?

        Log in to the Netflix website using the throwaway address.

        Go to account settings and change the email address to a dotted-variant of that of your mark.

        That way your mark never sees the signup confirmation.

        An email confirmation is sent to the new address, with the account i assume in limbo until the address is confirmed.

      3. HugoToledoUSA

        Re: Will it really make any differece?

        Yes, I think this was the missing piece in previous descriptions. Good point. Thanks!

  6. Anonymous Coward
    Anonymous Coward

    TL;DR but what is it with ****ing developers

    that they seem to think they can improve on the thousands of man hours that go into RFCs ???

    If I had a penny for every bug I've fixed that originated in a bit of code some smart arse thought was better than tried and tested modules ... I'd have a lot of pennies.

    email, telephone and postcode (UK) validation should have been nailed 25 fucking years ago. So why do I still see code (badly) written last week ?

    Amateurs ....

    1. Anonymous Coward
      Anonymous Coward

      Re: TL;DR but what is it with ****ing developers

      The RFCs actually allows for a lot of freedom for what comes before the @, because it was written in an era when how people were identified on different systems could vary wildly. IIRC, it allows even case-sensitive identifier - so JOHN.DOE could be different from john.doe or John.Doe... just I think nobody in their senses ever used it.

      Why Google decided to implement GMail in a way that is different from what most people are used to think email works is the issue. Maybe they thought it was a smart way to avoid people register look-alike addresses for doing something nasty, maybe the reasons are others. Anyway, the main issue is having billions of addresses in a single domain, while people with the same name are not rare at all, especially in some countries.

      1. awy

        Re: TL;DR but what is it with ****ing developers

        Actually, case-sensitivity in the local part used to be quite common in the (early) '80s. I'm not actually sure when to fell out of fashion.

        1. Black Betty

          Re: TL;DR but what is it with ****ing developers

          When MS rammed case insensitivity down everyone's throats IIRC.

      2. Black Betty

        Re: TL;DR but what is it with ****ing developers

        *nix is case sensitive, but IIRC there was a big kerfuffle when MS got into the internet business and rammed case insensitivity down everyone's throats and broke a lot of expected behaviours.

        1. Anonymous Coward
          Anonymous Coward

          "*nix is case sensitive"

          But humans aren't. Sure, written language does use case to better distinguish some words - using some known rules, but spoken language isn't (good luck with voice activated commands...) - and trying to enforce case sensitivity on humans is one of the worst things Unix programmers could think of - a clear case when engineering laziness ("hey, string comparisons in English only are far easier this way!") took precedence over a comprehensive, future-proof solution (hint: in many languages you have to follow proper collation rules to compare strings, or you'll fail).

          I understand mail RFCs had to cope with the limitations and bad designs of many early operating systems. There's really no need to persist in those mistakes - software must serve humans, not vice versa.

          IIRC DNS was designed to be case-insensitive - think if you had to register all the permutations of a domain name. URL can contain case-sensitive parts (besides the domain name), because, of course, the Unix limitations when it comes to access the file system...

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like