2 min read

Gmail "dots don"t matter" feature exposes Netflix users to phishing attacks

Filip TRUȚĂ

April 10, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Gmail "dots don"t matter" feature exposes Netflix users to phishing attacks

If your Netflix account is registered with a Gmail address, beware of any emails from Netflix asking you to renew your payment info. This, according to a developer who came within inches of paying someone else”s Netflix bill with his credit card number.

James Fisher signed up for Netflix in 2013 using jameshfisher@gmail.com, an email address that Google considers the same as james.hfisher@gmail.com because of the infamous “dots don”t matter” feature that Google insists is a good thing for users.

A person with a similar name in a different state had used this email address to sign up for Netflix. When something went wrong with the billing, Netflix emailed the real Fisher, asking him to renew his credit card details, not knowing that someone else was behind the dotted version of the address.

As Fisher recalls, he was seconds away from renewing his credit card number – essentially supplying a valid payment for someone else”s Netflix service – when he noticed that something was amiss.

“The email is genuinely from netflix.com, so I clicked the link,” Fisher writes. “It logged me in and took me to an “Update your credit or debit card” page, which is genuinely hosted on netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as **** 2745. A card number I don”t recognize. Checking my records, I”ve never seen this card number. What”s going on?”

“I finally realized that this email is to james.hfisher@gmail.com. I normally use jameshfisher@gmail.com, with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don”t matter in Gmail addresses.”

He then demonstrates how a standard phishing scam could take advantage of this oversight between the two services. Indeed, it seems ridiculously easy to exploit and trick someone into paying for your Netflix membership.

Fisher condemns Google for keeping the “dots don”t matter” feature, even though the search giant itself once admitted that the feature could be “confusing” to users. He proposes amending the Gmail feature set but believes Google should retire the feature altogether.

Security heavyweight Bruce Schneier calls it “an example of two systems without a security vulnerability coming together to create a security vulnerability.” Indeed, neither service is to blame fully for this issue but, now that the word is out, maybe one of them will address it.

As a rule of thumb, be wary of any email asking you to renew billing information. This Gmail/Netflix mix-up is a perfect example of a phishing scam created out of thin air by exploiting legitimate functionality in disparate services. Always check that all personal information in the mail is legitimate, and never supply your credit/debit card details, or renew your password, before double checking that it is indeed necessary to make such changes.

Phishing remains one of the most popular attack vectors for bad actors, and the biggest threat to online services. Google itself conducted a study with the University of California, Berkeley revealing that phishing was the greatest threat to account-based online services in 2017.

Data compiled by experts in email analytics shows that 87.6% of root domains operated by top e-retailers in the US and EU are exposing their consumers to phishing scams.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Common Credentials Criminals Use in IoT Dictionary Attacks Revealed Common Credentials Criminals Use in IoT Dictionary Attacks Revealed
Silviu STAHIE

November 30, 2021

3 min read
Interpol Busts 1,000 Cyber Crooks and Recovers $27M in Massive Fraud Crackdown Interpol Busts 1,000 Cyber Crooks and Recovers $27M in Massive Fraud Crackdown
Filip TRUȚĂ

November 29, 2021

2 min read
Social media firms will be forced to unmask online trolls, says Australia Social media firms will be forced to unmask online trolls, says Australia
Graham CLULEY

November 29, 2021

2 min read