Gmail is secure. Netflix is secure. Together they’re a phishing threat
A developer has discovered that Gmail’s email handling creates a handy phishing vector to attack Netflix customers.
The problem is that Netflix, like most systems, recognises dots in e-mail handles (so richardchirgwin and richard.chirgwin are different accounts) – but Gmail does not.
Over the weekend, developer James Fisher described his experience here: he received a legitimate e-mail from Netflix addressed to [email protected] that Gmail helpfully redirected to his dotless account.
Geniune in almost every way: the e-mail Fisher received
Since the e-mail arrived to the correct inbox, and since it genuinely came from Netflix, Fisher came close to accepting its request that he update his details – except that he didn’t recognise the credit card attached to the “dotted” account.
If someone accidentally adds dots to your address, Gmail will still send you that email. For example, if your email is [email protected], you own all dotted versions of your address:
[email protected]
[email protected]
[email protected]
This, Fisher wrote, creates the phishing vector: if an attacker tried hard enough, they would find a Netflix account whose Gmail registration already exists, and can register another account with an extra dot in the Gmail address.
If the attacker signed up with a “throwaway” card number, and then cancelled the card, Netflix would email the “real” Gmail account-holder asking for a valid card. It only needs the recipient to do so without noticing a discrepancy, and the attacker has tricked someone into paying for their streaming.
Security luminary Bruce Schneier commented that the problem is subtle: “It’s an example of two systems without a security vulnerability coming together to create a security vulnerability.”
Fisher suggested two possible fixes: Google could warn a Gmail user prominently that an e-mail was sent to a “non-standard” address, and should let users opt-out of the “dots don’t matter” feature.
He added that he believes the feature should be retired. Google, however, has promoted it as a useful feature. ®
Sponsored:
Minds Mastering Machines – Call for papers now open
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/10/gmail_netflix_phishing_vector/