This has happened to me for years
But with Amazon. Sometimes I cancel her parcels.
A developer has discovered that Gmail's email handling creates a handy phishing vector to attack Netflix customers. The problem is that Netflix, like most systems, recognises dots in e-mail handles (so richardchirgwin and richard.chirgwin are different accounts) – but Gmail does not. Over the weekend, developer James Fisher …
Yeah, I have a guy with the same name in Ireland who's somehow convinced that he has a variation of my email address.
One year I managed to get a postal address off a plane ticket he bought and sent him a letter. He was very good for a while, and wrote a nice letter back and closed a bunch of accounts (including PayPal - I could have been very naughty and "confirmed" his account and then waited for him to add a credit card, but I'm far too honest). But then either he or another person in Ireland with the same name started doing it again about six months later.
I now just put them in spam folders. Fact is, it's more tricky to convince me anyway as I have a domain that forwards to various things (one destination is a GMail that I can access on the go), but for which I use unique prefixes for each service. It's quite obvious and takes seconds to know if an email was sent to the actual prefix I signed up with, to some made-up prefix at my domain, or direct to the GMail account. Pretty much anything direct to the account is spam (I've never advertised that address whatsoever).
I always wondered what the point of the dot-address stuff was on GMail as I could only think of ways for it to go wrong. On a side-note, does anyone remember the Apache mod_spell module, that would try to correct mis-spelled page names? That always seemed the same to me... surely it just lets a ton of mis-spelled links propagate all over the web rather than actually fix the problem.
I use the dot in my Gmail address. Say I'm signing up to a website, I might use j.oebloggs@gmail instead of joebloggs. If that website passes on my address and results in spoof mail, I can more easily block it. It's handy because not everyone site accepts a plus sign in the email field so I can't always use joebloggs+netflicks@gmail.com
he has a variation of my email address
This is one of the positive benefits of owning my own domain and running my own server - I control absolutely who gets an email address and what format it is.
Of course there is a downside - having a catchall address also means what little spam gets through my firewall ends up in my address (which can also be useful - I can use variants of my email address for specific vendors so I'll know who has been abusing my emails..).
I have to say that operating a catchall address in this day and age is really a liability and not an asset. Unless of course you're maintainer of some RBL.
If you want to know who's trying to spam you, you simply look at the mail log and the rejected messages.
If you're using it as a honeypot to construct some kind of home-baked RBL, then just subscribe to Spamhaus Zen. Their database is orders of magnitude bigger than anything a little home domain will encounter... and is therefore much more useful if some exploit is in the wild. It's free for a host processing less than 100,000 SMTP connections per day. I used it for my medium-sized organisation (5000 mailboxes) until they made us get crappy Ironport. Like any RBL, the rejected connections are clearly logged in the mail log.
If you're operating a catch-all to capture misspellings of your email address(es), simply set up a catch-all that's aliased only with the likely misspellings.
Google (as well as the infamous mod_spell) ignores two basic rules of good software development:
1. Never fix user input!
2. If the customer insists on breaking the first rule, then let the software inform the user about the fix and let the user confirm the fix!
Fixing user input silently is very wrong. There are so many reasons for wrong user input: Typos, wrong information, fraud etc. If a software fixes it without informing the user, the user has no chance to find out hat something is wrong.
I don't use Gmail, so I was quite surprised that they do such a stupid thing. I thought in 2018 every software engineer should have learned that at university...
BR
littlesmith
I'm in contact with around 3 or so namesakes I get email for including one in my home town. I've had property rental statements, mortgage application details house sale agreements, job contracts. I even got something rather important that I could have digitally signed for and caused all kinds of issues. Quite a lot of the time the companies they are using have assumed my namesakes have made a mistake in the email address they've given and corrected it to mine off their own back. I am however nice and let people know of their mistake. I even forward email on to one guy in the US, trouble is when I used to send myself an email to remind myself of things (stopped doing that a long while ago), he was in my autocomplete and I sent him my private stuff a couple of times!
I've used the dot in my email address for services that point blank refuse to allow me to use my original email address as they have it on file but no password reset mechanism. I find it quite useful so I hope it's not retired.
> I've had property rental statements, mortgage application details
> house sale agreements, job contracts.
Same.
It turns out that a lot of people have a firstname.lastname that is the same as the single name on a gmail account I use - and it seems plenty of them are handing out the wrong address or friends and family are misremembering / guessing wrongly.
I was copied into one conversation involving organising, and paying for tickets to a group trip to an event at the Sydney Opera house that in total gave me a perfect little identity theft kit overnight.
I've had very many opportunities to activate post-sale services for someone in California who bought a posh car. And for someone on the East Coast who bought a much less posh one.
There have been plenty of invites to things that sounded like a lot of fun but were happening on the wrong continent and more than a few pieces of very personal news.
It's not really much of an inconvenience for me but I suspect some of the intended recipients would really rather it did't work the way it does.
Also, why havent folks complained about ignoring the + you can put at the end of your gmail address?
So yournamehere+whatanumpty@gmail.com would work just as well as your.name.here@gmail.com
WHY OH WHY OH WHY do f**ktards like to moan about features that have been around since day 1 ???
Cant the commentards just keep them.selves to themselves.... ???
Sure, this is something to be aware of, but hey - dont go blaming google becuase you are a numpty that doesnt understand the service you are using FOR FREE.....
"John Doe Jr" is the same as "John Doe Jr." in real life. "John J Doe is the same on any legal document as "John J. Doe".
Treating punctuation differently in email addresses is no different than typo-squatting a domain name except it's less obvious.
Gmail has been this way for years and other sites should follow their example on all new email addresses. We know what evil lurks on the Internet so let's close off the easy methods rather than relying on Grandma seeing that tiny dot in her email address which she never looks at anyway.
"rather than relying on Grandma seeing that tiny dot in her email address which she never looks at anyway.
most email clients hide the actual email address that is being sent to so there is little chance to spot the mistake. The thing is though, it should not matter if someone changes their email address to yours post sign up as an email should be sent stating "you've changed your email address to this, click here to confirm. If you've not changed your address then ignore this email" or some words along those lines. When the link is clicked, the user should have to then enter their account username and password before the change is confirmed. If someone is trying to spoof or phish you into something, not having the password will stop the email change to look like yours. in order to login and add a CC will require a password reset and the scammer won't have it and won't be able to reset it as the reset email will go to you. you may end up with 2 netflix accounts, but thats easily refundable by netflix as why would you have to accounts with similar email addresses?
This is all FUD and aimed at Netflix for the person who claims this story happened to them to gain some column inches.
This is easily verifiable by anyone changing the email address of their Netflix or other reputable online service/retailer. There are established rules and procedures around doing this thing, any auditor will check for.
I don't think you understand the attack. You create a previously non-existant account on Netflix, which is given the dotted email address. When the legitimate Netflix user gets the message, they are able to change the card details. Some (admittedly small) percentage of folks will do just that, allowing the fake user to get Netflix for free.
Re: 'why', I would assume it's from a zealous reading of RFC 2822; in its grammar a dot is defined as a separator but a separator has no defined lexical meaning for the local part of an address. A server can do whatever it wants — to the extent that 2822's predecessor, 822, received an official amendment to clarify that the local part should not be modified when forwarding messages. Prior to that it was valid for server A to remove or add dots as it felt fit, then pass that along to server B assuming it made no difference there either.
I think it is more complicated than that; if I send an email to an account that I KNOW exists - exactly the same as my account, but with no ".", gmail sends it to that account; but if someone in certain parts of the world (southern US for certain), sends to that address, I get their email.
This has only been happening to me for a couple of years, and I have had this email address since we had to call it "googlemail.co.uk".
I have told a certain US car dealership about this bug MANY times, but they keep asking me to take my car in for a service.
It's good to know I'm not alone, although I put it down to carelessness on the part of someone giving their email address. These days I just delete the emails, but I have been known to report them to abuse@ whoever sent them, and once I went the extra mile to inform a doctor's practise in California that their patient was never going to turn up for surgery... (That was hard, due to a reluctance on the part of the practise to put any contact details on the website that didn't need logged in to, and I wasn't going to phone them)
I've had fun in a similar situation.
I kept getting accidental/incorrectly addressed email to me but for someone located in the UK. I replied to the dealer that I wasn't the right person, that my email was used in error, & to please remove it from their records. They were either too inept or lazy to scrub it, so the next time one came in from them I decided to have a bit of fun.
I replied "Sure you can service my car. Please send a towtruck & a temporary vehicle for me to drive while you have mine in the shop." They agreed (evidently the other person had bought a rather expensive car & the dealership figured they could soak the fool) & asked me to confirm the address to which they would send them. I sent them the Google Maps coordinates. They replied "That can't be correct, that's not even in the UK!" To which I replied back "No shit. Neither am I. But since you can't be fuckin' arsed to fix your fuckin' records then you've already agreed to send a tow & a temp car. When whill they arrive?"
They never sent me another email.
*Cackle*
I tried to be polite about it, I tried to do the right thing, but when the other party refuses to act accordingly... It's time to fuck with their heads!
I have this a lady on the West Coast of 'merica registered with one dot not two, make easy to spot as my first name becomes a female name. Gmail filtering also helps but why the heck they designed it that way is beyond me, also not have Netflix is a BIG plus from every angle ;)
Er, I think the point is that Netflix do distinguish between agmailuser@gmail.com and a.gmail.user@gmail.com. To Netflix, they're different addresses, so different accounts. Google don't make a distinction.
So if you learned that someone with the address agmailuser@gmail.com had a netflix account, you can have an account on netflix under the name a.gmail.user@gmail.com. Emails sent to a.gmail.user will actually arrive in agmailuser's inbox. If they're not paying attention, phish!
Effectively Google have given gmail users an infinite variety of email addresses, meaning that it's possible for literally everyone else on the planet to cybersquat on their identity on all other services on the planet. If you are a gmail user, and you have an account on, say, Netflix and want to prevent anyone else taking out an account in your name you'd have to also take out accounts in the name of a.g.m.a.i.l.u.s.e.r@gmail.com (and every combination of letters and dots in your email address), plus all combinations of agmailuser+<insert any string here>@gmail.com. Clearly that's not possible.
Google's "handy feature" is stupid.
It does not allow squatting as every such email address would still get delivered to your mailbox. It actually prevents squatting because of that.
No it doesn't. It requires you to spot and deal with emails that no one else on the planet is expecting you to receive. You make one single mistake doing that, it could cost you money and they're squatting. You can't even correct your mistake because they have the password for that account on that service, not you.
No one but Google (not Netflix, the police, the courts, the banks, etc) considers agmailuser@gmail.com to be the same person as a.gmail.user@gmail.com.
@D@v3,
They do, but a couple of times i have received emails from services i have never heard of, so i go in, have 'forgotten my password', reset link gets sent to my email, i now own the account.
That's all well and good, but you may also have taken on legal responsibility for the account. That might come along with all sorts of liabilities, which might include (depending on the service provider and what is being provided) debt, criminal prosecution, ownership of some difficult-to-explain-in-front-of-a-judge content, etc. Trying to protest "but that's not my real email address" when, clearly, it is (and Google are also saying it is) sounds like a bad day to me.
On the whole, not a good idea I think.
"You make one single mistake doing that, it could cost you money and they're squatting. You can't even correct your mistake because they have the password for that account on that service, not you."
Lack of joined up thinking there AC.
If you don't have a password, you can't load a CC.
If you do have a password, the spoofers don't.
If you have a problem, you contact netflix, and seeing as you control a) the contact email address and b) the credit card, I fail to see how you can't cancel the payment.
Unless there's some method of inputting the CC into an unsecured form.
"No one but Google (not Netflix, the police, the courts, the banks, etc) considers agmailuser@gmail.com to be the same person as a.gmail.user@gmail.com."
They consider them to be separate email addresses. A person can clearly have more than one address. More than one person have access to an email address. In fact there is no direct relationship between natural persons and email addresses.
Personally I find it quite handy, but I have some 40+ email addresses being delivered to the same gmail account. Luckily it's yet to confuse the police, courts or the bank, all of whom use such boring things as a physical address or phone number when they really want to get hold of me, rather than email.
mmccul, I think you have misread RFC 822 section 6.2.4. It says, 'This specification treats periods (".") as lexical separators.' It says that the effect of these lexical separators is to divide the name of the mailbox and turn it into a sequence of tokens.
Dividing a string in different places will yield distinct sequences. Note that the sequence ("a", "b"), which is a sequence of length 2, is a distinct sequence from the sequence ("ab"), which is a sequence of length 1.
I'm normally the first to hate on Google, but I don't see how is this their fault?
It sounds as though Netflix are allowing people to register accounts with email addresses without bothering to validate that they have access to those addresses?
That's insanely irresponsible, if that is actually the case. I hope I've misunderstood something.
It's actually the other way around from what you are thinking. If YOU are registered to these services with a "dotted" email address, then someone can steal the account by creating an undotted email and then getting all of YOUR email. Including account password reset emails. Good luck getting your account back.
"If you are a gmail user, and you have an account on, say, Netflix and want to prevent anyone else taking out an account in your name you'd have to also take out accounts in the name of a.g.m.a.i.l.u.s.e.r@gmail.com (and every combination of letters and dots in your email address), plus all combinations of agmailuser+<insert any string here>@gmail.com. Clearly that's not possible.
Google's "handy feature" is stupid."
Do netflix and others not require the email account to be confirmed via some unique link before the account is activated?
Yes someone could setup the account but they will never see any correspondence and the dotless account owner would be notified.
I have seen that some sites are aware of googles dotless addressing and will strip the dot when checking for existing accounts and bleet if they have an existing account regardless of where or how many dots where entered in the submission. Its not a difficult regex to write to validate & sanitise the input prior to db lookup.
This is nothing but a subtle fishing attack and will catch out those who are click happy, but is easily fixed by netflix, with no need for Google to disable what is a useful feature for some.
Exactly this. Why is there a difference between someone registering for Netflix using the "actual" email address of say gmailuser@gmail.com and the "spoofed" dotted address g.mail.user@gmail.com if both addresses go to the same mailbox? Years ago I'd received several emails from Sony's Playstation online whatever it is asking about my account so I simply went online, reset the password, and closed the account. Note, the "attacker" didn't actually use dots, they simply signed up with my email address. Having said that, like someone mentioned in another thread, I use the dots to detect when someone is selling my address so I can point it out to them when I end my business relationship with them.
I submit the premise of the headline "Netflix is secure" is false if they aren't validating email addresses at the time someone signs up.
Is it possible to trick this?
Sign up to Netflix with a throwaway email.
Netflix sends the signup confirmation there.
Do the confirmation on that address.
Log in to the Netflix website using the throwaway address.
Go to account settings and change the email address to a dotted-variant of that of your mark.
That way your mark never sees the signup confirmation.
"Log in to the Netflix website using the throwaway address.
Go to account settings and change the email address to a dotted-variant of that of your mark.
That way your mark never sees the signup confirmation."
But they do get the "you've changed your email to this one" message. Which should raise alarm bells.
Log in to the Netflix website using the throwaway address.
Go to account settings and change the email address to a dotted-variant of that of your mark.
That way your mark never sees the signup confirmation.
An email confirmation is sent to the new address, with the account i assume in limbo until the address is confirmed.
that they seem to think they can improve on the thousands of man hours that go into RFCs ???
If I had a penny for every bug I've fixed that originated in a bit of code some smart arse thought was better than tried and tested modules ... I'd have a lot of pennies.
email, telephone and postcode (UK) validation should have been nailed 25 fucking years ago. So why do I still see code (badly) written last week ?
Amateurs ....
The RFCs actually allows for a lot of freedom for what comes before the @, because it was written in an era when how people were identified on different systems could vary wildly. IIRC, it allows even case-sensitive identifier - so JOHN.DOE could be different from john.doe or John.Doe... just I think nobody in their senses ever used it.
Why Google decided to implement GMail in a way that is different from what most people are used to think email works is the issue. Maybe they thought it was a smart way to avoid people register look-alike addresses for doing something nasty, maybe the reasons are others. Anyway, the main issue is having billions of addresses in a single domain, while people with the same name are not rare at all, especially in some countries.
But humans aren't. Sure, written language does use case to better distinguish some words - using some known rules, but spoken language isn't (good luck with voice activated commands...) - and trying to enforce case sensitivity on humans is one of the worst things Unix programmers could think of - a clear case when engineering laziness ("hey, string comparisons in English only are far easier this way!") took precedence over a comprehensive, future-proof solution (hint: in many languages you have to follow proper collation rules to compare strings, or you'll fail).
I understand mail RFCs had to cope with the limitations and bad designs of many early operating systems. There's really no need to persist in those mistakes - software must serve humans, not vice versa.
IIRC DNS was designed to be case-insensitive - think if you had to register all the permutations of a domain name. URL can contain case-sensitive parts (besides the domain name), because, of course, the Unix limitations when it comes to access the file system...
"maybe the reasons are others. "
I am not saying it was a good idea but AIUI the reason was that many corporates had a firstname.lastname or firstname_lastname policy. Some used to alias all user names so that firstnamelastname, firstname.lastname and firstname_lastname all worked. Gmail dealt with this by ignoring dots and underscores, saving aliasing. Then the Law of Unintended Consequences ensued.
As for capitalisation - many years ago an opposing solicitor complained that an email from our lawyer in NY had been "disrespectful". It turned out she had addressed it to grabbitrunne@sosumi, instead of GrabbitRunne@Sosumi. The pitfalls of email in the 20th century.
The American Express (I know, I know, I didn't choose to use the world's least supported CC, the company did) account page yesterday asked for my mobile number. They ask for country code and had the expected county code starting with a + already filled in. It then refused the accept the + as it only allows numbers. It also doesn't allow enough digits for a UK phone number and I couldn't progress without giving a number so now they have an incomplete phone number of me on file.
Somehow I feel that only Americans have a good chance of leaving their mobile number on that system, the rest of the world will just have to be lucky I guess.
(Don't get me started about the space in my surname, that I have letters in my postcode and it is longer than five characters, etc. etc.)
(Don't get me started about the space in my surname, that I have letters in my postcode and it is longer than five characters, etc. etc.)
Pfft. If I give *truthful* answers to "security" questions, I can have problems:
* My father has two middle names.
* My mother's middle name has less than five letters.
* My mother's maiden name has three common ways to spell it (two of which differ only by internal capitalisation), and I can't remember which is the right one.
* Someone posted a screenshot on TDWTF from a site that tried to claim that a surname shorter than five characters was invalid. Mine is only four letters.
At least where I live(1), post codes are five digits.
(1) France.
Names are often implemented extremely badly (and this schema promoted through training), where names fields are recorded in the database as "Title", "First Name" and "Last Name". This then introduces a whole word of pointless pain with validation and formatting where what is often really required is "Full Name" and "Salutation". Many non-English(ish) derived cultures don't have a concept of first name and last (family) name, many don't use them in the same order for full names and salutations and the minimum length of either component is often zero.
I haven't come across a situation where my last name is rejected for length reasons though, and mine is four letters long. I am the custodian of a "medium" size database where I have just checked and the reported minimum stored length of the surname component is one letter.
(Don't get me started about the space in my surname, that I have letters in my postcode and it is longer than five characters, etc. etc.)
... then there was the time that I was using my surname in testing. Which is of the form "Xx Xxxxxxx" (think "Le Mesuirer" but not french, Sicilian). I discovered that someone (who tried to lie, but sourcesafe flagged them up) had the "bright idea" of writing a bit of "validation" which insisted that all names were saved as Xxxxxx Xxxxx.
I flagged it as a bug and the bug tracking system duly recorded the BAs "oh do fuck off response" as they closed the report.
Sadly for them - and the fingered developer - the software we were selling was used by private investment houses in the Channel Islands. Where it seemed customers are very fussy about how their names appear on their statements (for millions of pounds).
Not only were the investment houses less than whelmed, they were incandescent with rage when they were told that the system had managed to lose the original data (by reformatting it) and they would have to conduct an exercise to recapture it. Without the customers knowing.
Heads did roll. But - thanks to my recorded dire warnings when flagging the bug - not mine.
They ask for country code and had the expected county code starting with a + already filled in. It then refused the accept the + as it only allows numbers
Heh. Copy-paste coding. The net is rife with examples where a phone number is supposedly "validated" so that + in front is not allowed. Eg. https://stackoverflow.com/questions/2386054/javascript-phone-number-validation
I too encounter this all the time. There is a legit workaround: "00" is usually acceptable as an alternative to "+", but not in all countries. In fact, the "+" notation was introduced precisely because of the variation in international prefixes. (But probably there are some moronical web sites that forbid also phone numbers stating with zeros).
Ignoring dots when registering is a good idea. Doing so for receiving/sending mail however is not.
As to why I'm saying they should ignore dots when registering? My dad has a mail address that is my.dad@provider.com. Someone else named the same has the address mydad@provider.com. Forget the dot and the emails go to the wrong person. The other address was registered 2 years after the "dot" account and should imho never have been allowed in the first place for being too similar.
I'm just going to say the obvious: DONT CLICK LINKS IN EMAILS.
This scam fails utterly if the user goes to the Netflix site and logs into their own account. It only succeeds if someone has clicked on a link sent through email.
Just the other day, Google sent me a notification with a G**D*** link in it, and I sent them back a "WTF is this?" message. The average user CANNOT differentiate between a real/fake, and should just about NEVER click a link unless someone has specifically said to them: "I'm sending you a link". And that is what we ought to be teaching the average joe.
That's a great sentiment but I'm a lawyer who has spent the last 15 years trying to give 60 year old secretaries an inkling of what a phishing email looks/feels like - secretaries who have neither the inclination nor the incentive to embrace new technologies/developments - only for banks to 'modernise' by delivering their instructions by email. Emails which typically include a title comprising a surname and postcode with a body saying something like 'new case, click on this link to access'.
I know I should now move on to a point to this rant but I'm not sure I have a coherent one.
Yes, some don't but some do and the direction of travel is for more emails like that.
Many now outsource sending their instructions (which might sound like a very trivial part of the process not to be able to handle) but a few still use the post/DX. Until recently I would have held up Nationwide (a BS, I know) as a paragon of virtue but even it has switched to the dark side.
Overall, banks don't really give a flying monkeys because they know there's a 99% chance they can recover any losses from the lawyer, no matter how stupid or irresponsible their own practices.
I tried to avoid ranting but you did ask!
>Ignoring dots when registering is a good idea. Doing so for receiving/sending mail however is not.
If you ignore the dots when registering it makes no difference at all whether you ignore it for sending or receiving because there can't be a separate email address at that domain that differs only on punctuation.
"Or: Netflix ignores periods in addresses."
That would be Netflix and any other service that accepts perfectly valid email addresses, though.
Google has the broken system, so it is Google that should fix it, not expect everyone else to comply to how they think the internet should work.
Aside, in the article, it makes the point that Google have "promoted it as a useful feature" - except in the linked post, they give no reasons as to why it is useful. The person who wrote that Gmail blog post uses two bullet points to mention the "+extra" feature and the optional dots, then goes on to give examples of the usefulness of "+extra" (one off addresses that can then be filtered) but does not do the same for the dots.
ISTM, therefore, the only usefulness of the optional dots is to use a regexp1 to filter out anything with a dot on the left of the @ - which, again, would really amount to other people (Gmail users) doing something to counter Google's brokenness.
1. Assuming Gmail filters can use regular expressions. I've no idea.
Small correction: When closing the window I put that post in I spotted the image at the bottom. So the one useful thing they could think of is for when people forget if there's a dot. Because their email clients won't remember it for them, presumably.
This post has been deleted by its author
Not making the link directly clickable would then exclude half of the worlds population from being able to complete the task. There are many people who bumble along without really knowing what they are doing. I used to try to educate those that I had contact with but the task was too big and I gave up. Uneducated oldies are the worst. They just can't understand that they have to think before they click and clicking may have consequences.
"Not making the link directly clickable would then exclude half of the worlds population from being able to complete the task."
Baloney. The email itself could even include instructions for that.
But, at some point, people have to be expected to learn minimal skills for using the internet. The alternative is the nightmare version of the internet that it's slowly transforming into right now.
It's not a Google promoted feature but a part of email address format RFC. The sole reason for its existence is exactly protection to protect from phishing and apoofing. That developer must have at some stage authorised additional Netflix account creation. No other way for this to work. He should be blaming himself and not the Netflix or Google.
I don't know if it is still the case, but at some stage, Gmail refused to send mail to "john@example.com." but "john@example.com" was OK.
The difference? A dot after the .com bit.
But example.com. (with the trailing dot) is a perfectly valid and resolvable name, why Gmail chosed to ignore it?
I'm sure I've seen this issue reported before. Right here on El Reg.
More broadly, it's an instance of a whole class of issues arising through different agents interpreting standards in different ways[1]. In some cases the standards themselves are at fault: when the HTTP standards RFC723x came out, they gave rise to some security reports to BOTH the major web proxies I'm involved with, changing SHOULD in RFC2616 (and earlier HTTP standards) to MUST NOT.
[1] Or in the case of Microsoft's products that kicked off the whole email-virus thing twenty years ago, deliberately violating a security-critical standard and opening the gates to attacks described in some detail in the informational security discussion in RFC1341 (1992).
"Since the e-mail arrived to the correct inbox, and since it genuinely came from Netflix, Fisher came close to accepting its request that he update his details"
i.e. lazily ignoring the first rule of 'account update' emails, and not going directly to the site and typing in your own login credentials to check your account rather than relying on what's in the email.
spam filtering.
You have multiple email addresses, which can all be filtered. For example, johndoe@gmail.com can be my main account, but I use john.doe@gmail.com for online forms, and therefore filter any incoming emails with that name to "spam". Then on top of that I could use joh.ndoe@gmail.com to filter to a different folder, etc.
Add in their ignoring of anything after the "+" sign (so johndoe+spammytwats@gmail.com is still delivered to me), and it's quite a powerful tool for inbox management.
This isn't even a story; it's part of RFC 822. I use this gmail feature all the time and find it very useful. Some use cases:
- Abusing offers such as "10% off your first order when you sign up to our mailing list".
- Managing multiple accounts on the same website, for example several personas on a single social media service.
- I recently had a website refuse to forget an old billing address that I couldn't change or delete, which meant my card payment wouldn't authorise. Support was useless, so I just created a new account, with an extra dot in my email address.
- Throwaway email addresses without having to use another service (mye.maila.ddre.ss@gmail.com)
What's happened is that a developer who thinks he's too clever to fall for a phishing scam nearly fell for a phishing scam, so he's looking for anyone other than himself to blame.
Interesting, but it confirms Onymous Coward's point. RFC2822 simply says the part before @ is a "locally interpreted string" which may contain alphanumeric characters and various punctuation including dots. It doesn't say how the email host should interpret the string.
Is GMail's ambiguous interpretation RFC2822-compliant? Yes.
Was it a mistake for the RFC to allow ambiguous email addresses? IMHO yes. Ambiguity leads to insecurity.
Was it a mistake for GMail to implement this ambiguity the RFC allowed but didn't require? IMHO yes.
Does GMail's ambiguous address parsing really protect you from spam? IMHO no, because the spammers know all about it and even exploit it.
I don't know why GMail doesn't just change it. Who cares if it breaks things for some users? Never stopped 'em before!
This is a useful feature as it lets me register multiple times for services (along with the email.address+whateveryouwant@gmail.com trick).
It's also nice that I know all about a famous hairdresser that shares my name, and almost my email address. I've watched him move house from the East Midlands to the USA, got notifications whenever he booked a taxi, had invoices and photoshoot details. I've got all his personal details, bank account details, phone numbers, DOB, those of his wife too, his kids names.
If that's not useful (to me) then I don't know what is.
I've reset the password on various services where people have done this - however, be aware that they can't possible have the non-dotted version of my email address so that's not the issue. The issue is they've made a typo in the email anyway.
For example, if I was joe.bloggs@gmail.com and I get a Pizza Hut email to joebloggs@gmail.com then that's not because someone has registered joebloggs. They can't, Google won't let them because I'm already joe.bloggs.
They must be joebloggs1, or j0ebl0ggs or something and they've typed it in wrong. This will always happen, regardless of how dots are processed.
As for "squatting" and who recognises what as who. Nobody will EVER take an email address as a unique ID, it's perfectly legal to have an email address that isn't my name.
Having a many-to-one mapping between email address and mailbox is not the problem; there are plenty of ways to do that even without this gmail feature.
The fault is entirely with Netflix - they should not allow someone to sign up for a site without validating the email address to ensure the person signing up owns that email address.
So netflix doesn't require e-mail verification ?
I mean i've had quite a bit of mail for some other people landing in my account, including someones itunes account and someones phone bills.. I can only assume it was either mistyped or someone was too retarded to remember their e-mail adres, that said i always wondered how dumb were services who did it without confirmatione e-mail..
Didn't expect netflix to be this idiotic either.
Why no one seems to be identifying the real source of risk, which is that Netflix allows you to use an email for contact and billing without verifying that the owner of that email address actually intended to do such a thing is beyond me.
This is simply, Netflix failed to perform due diligence on the account when it was created.
google claims that an email that with first.lastname@gmail.com is the exact same email as firstlastname@gmail.com but they are wrong.
I daily get emails for a person with the same name as me - I've been able to follow his life around for the last few years based on what he signed up to and hes currently working in America after emigrating there from Ireland some time ago(he also just bought an iPhone as I got the confirmation email numerous times before he gave up and used a different one). I've actually spoken to him as I did get some urgent contracts some years back and they included his phone number.
Oddly he never gets emails meant for me (I have a dot in my gmail address where he doesn't)
He has simply entered your email address when signing up/buying things. That's why you receive emails intended for him but he doesn't receive emails intended for you. It's the same as him entering your home address and you receiving the stuff he's bought!
This is the entire problem, as a few others in the comments have alluded to. When signing up with an email address - on Netflix or anywhere else - the service should send a verification email. If you signed up, verify the account. If you didn't, don't. It's as simple as that.
This is a non-story. Either Netflix didn't require verification when the dotted email address was used to sign up (or an existing Netflix account was changed to the dotted email), or the developer in question has at some point in the past accidently verified the account. Either way, the blame is not with Google. I'm surprised at the number of people on here that think Google is the one at fault!
I also have a gmail address with a DOT only because it was not available WITHOUT a dot, as it was taken by someone else.
So two gmail addresses belonging to 2 different people, the only difference is the dot.
Now I did get that gmail address quite a few years ago, so they must have changed this functionality since then, causing addresses with DOTS to just be an alias of the address without. In which case, hardly surprising that people have started getting other people's email.
Ho hum.
So.
Forewarned is forearmed, although those people who are not savvy enough to spot that extra dot will have some issues.
Sure, there are benefits of having joe.bloggs@gmail.com and joebloggs@gmail.com, BUT the risks far outweigh the benefits. So, from my side I say that it is a huge risk, and not something I need in my life.
Time to go hunting for a different email provider then.
I have still got a Googlemail.com email address, and last time i tried the dots in the email address didn't work for that one, the mail got bounced back as undelivered, but on another address ive got which is a gmail.com the dots did work.
I used Linux daily and the case sensitivity is a pain, the Amiga OS was very Unix like but they decided to make it case-insensitive with some backward compatibility to support case sensitive files copied from Unix. I rather hoped that this approach would be brought in to Linux to phase out case sensitivity.
If Netflix are honestly sending out emails that request updated credit card details without requiring you to log in (which the “victim” couldn’t do because they don’t know the password for the fraudulent account) then there are far bigger issues here than the handling of dots in email addresses!
Whilst I’m sure there are probably ways of abusing gmail’s ignoring of dots (not to mention the ‘+’ behaviour) in addresses, I suspect (or sincerely hope) this isn’t one of them.
This is an information risk because Netflix alows different people to register with only the dot difference in the first part of their mail address.
Netflix thinks that
netflix.suck@gmail.com
is different than
netflixsucks@gmail.com
Why all the hate for gmail? It's netflix that sucks.
No, it's not Netflix's responsibility to know every email host's internal naming rules. That's impossible. Netflix should verify email addresses (I assume they decided payment info was adequate user verification) but it was GMail that "helpfully" redirected netflix.sucks to netflixsucks until a scammer signed up as netflix.sucks. Gmailsucksmore.
The RFCs suck even more. Most internet protocols, old and new, have these ambiguities. The internet was designed to be flexible, not secure. It was only a research prototype, but it seemed to work well enough, so nobody bothered with version 1.0. If GMail is in perpetual beta, Internet is perpetual alpha.
its funny that so many people are commenting on this yet no one has checked by signing up to netflix with a spare account, and seeing if its actually possible to do as suggested.
There should be no way for someone to login to netflix and add their CC details to an account they don't know the password to even if they know the account name and have a link notifying the CC is invalid and a new card needs to be entered.
Think about it.
to change the CC you need to login to the site using the spoofed email with a dot in a different place and enter a password. As you won't know the password you can reset it and add the CC but then the person who spoofed you will then need to add the new password to gain access which will fail as they won't know it. At worst you will now have 2 NetFlix accounts which Netflix can easily refund the new one once you notify them.
I would be perfectly happy to have gmail stop ignoring dots in email addresses IF all sites actually supported valid email addresses with + in them. It still baffles me the number of email validators on many sites (including government sites) that claim + is not a valid character in an email address.
Over the years, I've gotten lots of emails for lots of people that clearly typo'd their email (and not just a dot difference). I've gotten email from lawyers, order details for an artist in CA, email from doctors, and many other probably important emails. In some cases, I did attempt to notify the sender to the error if it seemed important. By far the most annoying was somebody signing up for a TON of payday loan sites using my email address (fortunately Google sent most of them to spam even without me doing anything).
you can no longer register an address with extra dots. Note what google does is perfectly legal in internet standards terms. The mail standards are clear. what is to the left of the "@" can be interpreted in whatever way you want. Most systems already ignore upper/lower case but some don't, so Dave & dave are different...
I, like others here, have been getting emails from companies that I have no dealings with.
There is a driving school owner in Yorkshire that I could have burgled when he was on holiday.
There is a lady (I am a bloke) that I could have screwed up her Sky installation.
There is also a person or persons in Australia who have used my gmail account to sign up for all sorts of things. Gas, Electricity, Termite infestation report, etc...etc..
Some of the OZ ones have no email contact information on their emails or websites, just a 'local' telephone no. Not local for me, so no calls. Others sites, I have emailed them explaining the problem and advising them to sent a letter to their customer(s).
AliC33 ; as far as I know, if one has opened an account - say ali.c@gmail.com - no one will be able to open a similar «dotless» account, of type «alic@gmail.com». Your experience seems to differ from my own and from my understanding of the manner in which Gmail accounts are supposed to work....
Henri
I'm in the exact same position.
I have <initial>.<initial>.<surname>@gmail.com, and I get a reasonable amount of email (including when he signed up for Netflix!) which is meant for <initial><initial><surname>@gmail.com.
I've no way of contacting him, as I don't have his other contact details, and when I try to send email to his <initial><initial><surname>@gmail.com address, it ends up in my inbox :-(
Don't get the issue here, security is becoming so much FUD with 'researchers' finding little things to get printed!
Say my email is a.user@gmail.com
If someone were to sign up with Netflix with the account auser@gmail.com surely I would get an email to confirm my account and it shouldn't work till I do confirm the account... If that isn't the case then surely this is more an issue with Netflix! And surely if someone were to ignore various emails to say they have created a new account that they never actually did, then to I assume follow a link in the email (is there not any authentication.....) and enter their card number then it's a) Netflix being very poor by design and b) Users being stupid to blindly enter their card number!
If someone creates a netflix account or any account using a gmail address that is actually an alias of yours, then you are going to get the welcome email of the newly created account, which you would have to also completely disregard in order to fall for this. The person who created the account would never get that email because they do not own that email address.
Also doesn't netflix send out an account activation email to verify the email address?
EXCUSE ME?!
How is Netflix considered secure if they DON'T VALIDATE THE E-MAIL-ADDRESS?!
If you sign up for a new account the first thing that needs to be done is to verify the e-mail-address before any other action can take place. Because your e-mail-address is your identity. It is highly unprofessional to perform any transactions before the identity isn't confirmed. And here you can see, why...
Well as a happy user of the dots and the plus signs, I must say I like gmail the way it is, but then I have long name with a hyphen in it that makes it quite rare.
Surname-mine+me Surname-mine+wife Surname-mine+child all land one one place for easy onward sorting.
Moving the dots when signing up for spam-like things makes it easy enough to auto-filter on the dots to put it in the junk mail pile.
But I came to Gmail from using freeserve that did the extension into may names even more uniquely, and was pleased to find that it was at least possible.
Less pleased to see that despite
"+" and "-" signs being legitimate characters in Email addresses a number of organisations seem unable to handle them, including my bank.
Previously
Mynet@ freeserve.co.uk
would pick up
me@mynet.freeserve.co.uk
you@mynet,.freeserve.co.uk
anyoldthing@mynet.freeserve.co.uk
or I could log in with one of those and see just the filtered view. If only something like that had become an agreed standard.
I immediately assumed "well, gee; the RFC (2822) should answer this definitively". So I looked and found out that "The local-part portion is a domain dependent string. In addresses, it is simply interpreted on the particular host as a name of a particular mailbox." There is no definition of how that interpretation works. I also thought emails were always lower case, but then realized that _my_ ISP says it translates to all lower case, but there is no such requirement in the RFC.
I still think it is bad practice to blur something that people think of as a unique identifier.
This attack doesn't make sense.
Surely you would need to know the other account's password to log on.
I just set up a netflix account to test and even clicking on the link in the mail takes me to an authentication page.
Also, even if you do enter your details into the wrong account - the best the attacker will be able to find out is the truncated number of your card which won't be very useful (I know it is not nothing but it is really not worthwhile jumping through multiple hoops to get one part of one person's card).
I wasn't able to test whether:
1. You are already authenticated to Netflix on your own account;
2. Email arrives and you click the link which takes you to a different Netflix account without needing to authenticate.
3. You are now logged into the new account.
I doubt this would work but if it did then the issue would be on Netflix's side and not Google's and it would be serious enough that they should fix it.
Otherwise - move along - you are not being phished. You are safe. There is no way your card details are going to a third party (through this method). Rather look out for real phishing emails.
I've always regarded Gmail's refusal to recognise dots in email addresses - or rather, refusal to allow a new account with the address «john.doe@gmail.com» to be opened in the event that an account with address «johndoe@gmail.com» already exists - as a valuable safety feature, given that inadvertent omission or adding of dots in such addresses is one of the most common errors made by users. Gmail's praxis renders it impossible for someone who notes that John Doe can be reached at johndoe@gmail.com to open new accounts with such addresses as «john.doe@gmail.com» or «j.ohndoe@gmail.com», etc, etc, and thereby intercept post meant for the first-named....
Rather than Gmail ceasing this practice, it would, to my mind, be far better were other email and other service providers to introduce it....
Henri
I received an email from Instagram telling me to reset my password and this email was sent to my gmail account. It too had a dot in the the middle of my gmail handle. Problem is, I don't have an Instagram account so the scum bag who was trying to access, what they thought, was my Instagram account was probably chasing nothingness.