back to article Gmail is secure. Netflix is secure. Together they're a phishing threat

A developer has discovered that Gmail's email handling creates a handy phishing vector to attack Netflix customers. The problem is that Netflix, like most systems, recognises dots in e-mail handles (so richardchirgwin and richard.chirgwin are different accounts) – but Gmail does not. Over the weekend, developer James Fisher …

  1. Anonymous Coward
    Anonymous Coward

    This has happened to me for years

    But with Amazon. Sometimes I cancel her parcels.

    1. Lee D Silver badge

      Re: This has happened to me for years

      Yeah, I have a guy with the same name in Ireland who's somehow convinced that he has a variation of my email address.

      One year I managed to get a postal address off a plane ticket he bought and sent him a letter. He was very good for a while, and wrote a nice letter back and closed a bunch of accounts (including PayPal - I could have been very naughty and "confirmed" his account and then waited for him to add a credit card, but I'm far too honest). But then either he or another person in Ireland with the same name started doing it again about six months later.

      I now just put them in spam folders. Fact is, it's more tricky to convince me anyway as I have a domain that forwards to various things (one destination is a GMail that I can access on the go), but for which I use unique prefixes for each service. It's quite obvious and takes seconds to know if an email was sent to the actual prefix I signed up with, to some made-up prefix at my domain, or direct to the GMail account. Pretty much anything direct to the account is spam (I've never advertised that address whatsoever).

      I always wondered what the point of the dot-address stuff was on GMail as I could only think of ways for it to go wrong. On a side-note, does anyone remember the Apache mod_spell module, that would try to correct mis-spelled page names? That always seemed the same to me... surely it just lets a ton of mis-spelled links propagate all over the web rather than actually fix the problem.

      1. Dave 126 Silver badge

        Re: This has happened to me for years

        I use the dot in my Gmail address. Say I'm signing up to a website, I might use j.oebloggs@gmail instead of joebloggs. If that website passes on my address and results in spoof mail, I can more easily block it. It's handy because not everyone site accepts a plus sign in the email field so I can't always use joebloggs+netflicks@gmail.com

        1. John Brown (no body) Silver badge

          Re: This has happened to me for years

          "It's handy because not everyone site accepts a plus sign in the email field so I can't always use joebloggs+netflicks@gmail.com"

          Conversely, a dot IS a valid part of an email address so Google ignoring it is just wrong.

          1. Medical Cynic

            Re: This has happened to me for years

            If you can create a filter about dots, as the linked article says you can with plus signs, it would be worth setting this up to add a red label as a warning.

      2. CrazyOldCatMan Silver badge

        Re: This has happened to me for years

        he has a variation of my email address

        This is one of the positive benefits of owning my own domain and running my own server - I control absolutely who gets an email address and what format it is.

        Of course there is a downside - having a catchall address also means what little spam gets through my firewall ends up in my address (which can also be useful - I can use variants of my email address for specific vendors so I'll know who has been abusing my emails..).

        1. Trixr

          Re: This has happened to me for years

          I have to say that operating a catchall address in this day and age is really a liability and not an asset. Unless of course you're maintainer of some RBL.

          If you want to know who's trying to spam you, you simply look at the mail log and the rejected messages.

          If you're using it as a honeypot to construct some kind of home-baked RBL, then just subscribe to Spamhaus Zen. Their database is orders of magnitude bigger than anything a little home domain will encounter... and is therefore much more useful if some exploit is in the wild. It's free for a host processing less than 100,000 SMTP connections per day. I used it for my medium-sized organisation (5000 mailboxes) until they made us get crappy Ironport. Like any RBL, the rejected connections are clearly logged in the mail log.

          If you're operating a catch-all to capture misspellings of your email address(es), simply set up a catch-all that's aliased only with the likely misspellings.

      3. littlesmith

        Re: This has happened to me for years

        Google (as well as the infamous mod_spell) ignores two basic rules of good software development:

        1. Never fix user input!

        2. If the customer insists on breaking the first rule, then let the software inform the user about the fix and let the user confirm the fix!

        Fixing user input silently is very wrong. There are so many reasons for wrong user input: Typos, wrong information, fraud etc. If a software fixes it without informing the user, the user has no chance to find out hat something is wrong.

        I don't use Gmail, so I was quite surprised that they do such a stupid thing. I thought in 2018 every software engineer should have learned that at university...

        BR

        littlesmith

    2. Martin Summers

      Re: This has happened to me for years

      I'm in contact with around 3 or so namesakes I get email for including one in my home town. I've had property rental statements, mortgage application details house sale agreements, job contracts. I even got something rather important that I could have digitally signed for and caused all kinds of issues. Quite a lot of the time the companies they are using have assumed my namesakes have made a mistake in the email address they've given and corrected it to mine off their own back. I am however nice and let people know of their mistake. I even forward email on to one guy in the US, trouble is when I used to send myself an email to remind myself of things (stopped doing that a long while ago), he was in my autocomplete and I sent him my private stuff a couple of times!

      I've used the dot in my email address for services that point blank refuse to allow me to use my original email address as they have it on file but no password reset mechanism. I find it quite useful so I hope it's not retired.

      1. Professor Clifton Shallot

        Re: This has happened to me for years

        > I've had property rental statements, mortgage application details

        > house sale agreements, job contracts.

        Same.

        It turns out that a lot of people have a firstname.lastname that is the same as the single name on a gmail account I use - and it seems plenty of them are handing out the wrong address or friends and family are misremembering / guessing wrongly.

        I was copied into one conversation involving organising, and paying for tickets to a group trip to an event at the Sydney Opera house that in total gave me a perfect little identity theft kit overnight.

        I've had very many opportunities to activate post-sale services for someone in California who bought a posh car. And for someone on the East Coast who bought a much less posh one.

        There have been plenty of invites to things that sounded like a lot of fun but were happening on the wrong continent and more than a few pieces of very personal news.

        It's not really much of an inconvenience for me but I suspect some of the intended recipients would really rather it did't work the way it does.

    3. Sorry that handle is already taken. Silver badge

      Re: This has happened to me for years

      I am constantly receiving emails intended for multiple people with the same name as me. I even called one on the phone to warn them, but I think that just freaked them out.

  2. Anonymous Coward
    Anonymous Coward

    Google ignore dots in email addresses? Why? It's bound to cause problems like this.

    Am I right in thinking that this is not a widely understood feature?

    1. Anonymous Coward
      Anonymous Coward

      IIRC it says on the registration form.

      1. Anonymous Coward
        Anonymous Coward

        IIRC it says on the registration form.

        Well, that depends on when one registered a gmail address (like, a long time ago). It's also exactly the kind of thing most people will forget. It's also very non-standard. And who actually reads that crap in the first place?

        1. Anonymous Coward
          Anonymous Coward

          Well...DUH!

          Also, why havent folks complained about ignoring the + you can put at the end of your gmail address?

          So yournamehere+whatanumpty@gmail.com would work just as well as your.name.here@gmail.com

          WHY OH WHY OH WHY do f**ktards like to moan about features that have been around since day 1 ???

          Cant the commentards just keep them.selves to themselves.... ???

          Sure, this is something to be aware of, but hey - dont go blaming google becuase you are a numpty that doesnt understand the service you are using FOR FREE.....

    2. Amos1

      Why should punctuation in a name indicate a different person any more than it does in real life?

      "John Doe Jr" is the same as "John Doe Jr." in real life. "John J Doe is the same on any legal document as "John J. Doe".

      Treating punctuation differently in email addresses is no different than typo-squatting a domain name except it's less obvious.

      Gmail has been this way for years and other sites should follow their example on all new email addresses. We know what evil lurks on the Internet so let's close off the easy methods rather than relying on Grandma seeing that tiny dot in her email address which she never looks at anyway.

      1. Jediben

        Re: Why should punctuation in a name indicate a different person any more than it does in real life?

        It's not a different person, it's a different location. Works for other things too.

        Would you prefer your holiday destination to be 27.3c or 273c?

      2. tip pc Silver badge
        FAIL

        Re: Why should punctuation in a name indicate a different person any more than it does in real life?

        "rather than relying on Grandma seeing that tiny dot in her email address which she never looks at anyway.

        most email clients hide the actual email address that is being sent to so there is little chance to spot the mistake. The thing is though, it should not matter if someone changes their email address to yours post sign up as an email should be sent stating "you've changed your email address to this, click here to confirm. If you've not changed your address then ignore this email" or some words along those lines. When the link is clicked, the user should have to then enter their account username and password before the change is confirmed. If someone is trying to spoof or phish you into something, not having the password will stop the email change to look like yours. in order to login and add a CC will require a password reset and the scammer won't have it and won't be able to reset it as the reset email will go to you. you may end up with 2 netflix accounts, but thats easily refundable by netflix as why would you have to accounts with similar email addresses?

        This is all FUD and aimed at Netflix for the person who claims this story happened to them to gain some column inches.

        This is easily verifiable by anyone changing the email address of their Netflix or other reputable online service/retailer. There are established rules and procedures around doing this thing, any auditor will check for.

        1. HugoToledoUSA

          Re: Why should punctuation in a name indicate a different person any more than it does in real life?

          I don't think you understand the attack. You create a previously non-existant account on Netflix, which is given the dotted email address. When the legitimate Netflix user gets the message, they are able to change the card details. Some (admittedly small) percentage of folks will do just that, allowing the fake user to get Netflix for free.

    3. ThomH

      Re: 'why', I would assume it's from a zealous reading of RFC 2822; in its grammar a dot is defined as a separator but a separator has no defined lexical meaning for the local part of an address. A server can do whatever it wants — to the extent that 2822's predecessor, 822, received an official amendment to clarify that the local part should not be modified when forwarding messages. Prior to that it was valid for server A to remove or add dots as it felt fit, then pass that along to server B assuming it made no difference there either.

  3. Anonymous Coward
    Anonymous Coward

    Although...

    To be clear, Google *no longer allow you* to register an account that exists, but with extra dots. But *they used to*. So the bug in the original article isn't quite accurate; you can't go creating accounts. But there are a subset of existing accounts that have alternates.

    1. Anonymous Coward
      Anonymous Coward

      Re: Although...

      I think it is more complicated than that; if I send an email to an account that I KNOW exists - exactly the same as my account, but with no ".", gmail sends it to that account; but if someone in certain parts of the world (southern US for certain), sends to that address, I get their email.

      This has only been happening to me for a couple of years, and I have had this email address since we had to call it "googlemail.co.uk".

      I have told a certain US car dealership about this bug MANY times, but they keep asking me to take my car in for a service.

      1. John 110

        Re: Although...

        It's good to know I'm not alone, although I put it down to carelessness on the part of someone giving their email address. These days I just delete the emails, but I have been known to report them to abuse@ whoever sent them, and once I went the extra mile to inform a doctor's practise in California that their patient was never going to turn up for surgery... (That was hard, due to a reluctance on the part of the practise to put any contact details on the website that didn't need logged in to, and I wasn't going to phone them)

        1. Marcelo Rodrigues

          Re: Although...

          "and once I went the extra mile to inform a doctor's practise in California that their patient was never going to turn up for surgery... "

          I did it too! They didn't stop trying to contact the "other me"

      2. Shadow Systems

        At Ian Emery, re: car dealer...

        I've had fun in a similar situation.

        I kept getting accidental/incorrectly addressed email to me but for someone located in the UK. I replied to the dealer that I wasn't the right person, that my email was used in error, & to please remove it from their records. They were either too inept or lazy to scrub it, so the next time one came in from them I decided to have a bit of fun.

        I replied "Sure you can service my car. Please send a towtruck & a temporary vehicle for me to drive while you have mine in the shop." They agreed (evidently the other person had bought a rather expensive car & the dealership figured they could soak the fool) & asked me to confirm the address to which they would send them. I sent them the Google Maps coordinates. They replied "That can't be correct, that's not even in the UK!" To which I replied back "No shit. Neither am I. But since you can't be fuckin' arsed to fix your fuckin' records then you've already agreed to send a tow & a temp car. When whill they arrive?"

        They never sent me another email.

        *Cackle*

        I tried to be polite about it, I tried to do the right thing, but when the other party refuses to act accordingly... It's time to fuck with their heads!

    2. Maverick

      Re: Although...

      I have this a lady on the West Coast of 'merica registered with one dot not two, make easy to spot as my first name becomes a female name. Gmail filtering also helps but why the heck they designed it that way is beyond me, also not have Netflix is a BIG plus from every angle ;)

    3. Anonymous Coward
      Anonymous Coward

      Re: Although...

      Er, I think the point is that Netflix do distinguish between agmailuser@gmail.com and a.gmail.user@gmail.com. To Netflix, they're different addresses, so different accounts. Google don't make a distinction.

      So if you learned that someone with the address agmailuser@gmail.com had a netflix account, you can have an account on netflix under the name a.gmail.user@gmail.com. Emails sent to a.gmail.user will actually arrive in agmailuser's inbox. If they're not paying attention, phish!

      Effectively Google have given gmail users an infinite variety of email addresses, meaning that it's possible for literally everyone else on the planet to cybersquat on their identity on all other services on the planet. If you are a gmail user, and you have an account on, say, Netflix and want to prevent anyone else taking out an account in your name you'd have to also take out accounts in the name of a.g.m.a.i.l.u.s.e.r@gmail.com (and every combination of letters and dots in your email address), plus all combinations of agmailuser+<insert any string here>@gmail.com. Clearly that's not possible.

      Google's "handy feature" is stupid.

      1. Szymon Kosecki

        Re: Although...

        It does not allow squatting as every such email address would still get delivered to your mailbox. It actually prevents squatting because of that.

        1. Anonymous Coward
          Anonymous Coward

          Re: Although...

          It does not allow squatting as every such email address would still get delivered to your mailbox. It actually prevents squatting because of that.

          No it doesn't. It requires you to spot and deal with emails that no one else on the planet is expecting you to receive. You make one single mistake doing that, it could cost you money and they're squatting. You can't even correct your mistake because they have the password for that account on that service, not you.

          No one but Google (not Netflix, the police, the courts, the banks, etc) considers agmailuser@gmail.com to be the same person as a.gmail.user@gmail.com.

          1. D@v3

            Re: They have the password.

            They do, but a couple of times i have received emails from services i have never heard of, so i go in, have 'forgotten my password', reset link gets sent to my email, i now own the account.

            1. Anonymous Coward
              Anonymous Coward

              Re: They have the password.

              @D@v3,

              They do, but a couple of times i have received emails from services i have never heard of, so i go in, have 'forgotten my password', reset link gets sent to my email, i now own the account.

              That's all well and good, but you may also have taken on legal responsibility for the account. That might come along with all sorts of liabilities, which might include (depending on the service provider and what is being provided) debt, criminal prosecution, ownership of some difficult-to-explain-in-front-of-a-judge content, etc. Trying to protest "but that's not my real email address" when, clearly, it is (and Google are also saying it is) sounds like a bad day to me.

              On the whole, not a good idea I think.

          2. MonkeyCee

            Re: Although...

            "You make one single mistake doing that, it could cost you money and they're squatting. You can't even correct your mistake because they have the password for that account on that service, not you."

            Lack of joined up thinking there AC.

            If you don't have a password, you can't load a CC.

            If you do have a password, the spoofers don't.

            If you have a problem, you contact netflix, and seeing as you control a) the contact email address and b) the credit card, I fail to see how you can't cancel the payment.

            Unless there's some method of inputting the CC into an unsecured form.

            "No one but Google (not Netflix, the police, the courts, the banks, etc) considers agmailuser@gmail.com to be the same person as a.gmail.user@gmail.com."

            They consider them to be separate email addresses. A person can clearly have more than one address. More than one person have access to an email address. In fact there is no direct relationship between natural persons and email addresses.

            Personally I find it quite handy, but I have some 40+ email addresses being delivered to the same gmail account. Luckily it's yet to confuse the police, courts or the bank, all of whom use such boring things as a physical address or phone number when they really want to get hold of me, rather than email.

          3. mmccul

            Re: Although...

            Well, RFC 822 section 6.2.4 seems to disagree with you.

            1. Oliver P

              Re: Although...

              mmccul, I think you have misread RFC 822 section 6.2.4. It says, 'This specification treats periods (".") as lexical separators.' It says that the effect of these lexical separators is to divide the name of the mailbox and turn it into a sequence of tokens.

              Dividing a string in different places will yield distinct sequences. Note that the sequence ("a", "b"), which is a sequence of length 2, is a distinct sequence from the sequence ("ab"), which is a sequence of length 1.

      2. MOH

        Re: Although...

        I'm normally the first to hate on Google, but I don't see how is this their fault?

        It sounds as though Netflix are allowing people to register accounts with email addresses without bothering to validate that they have access to those addresses?

        That's insanely irresponsible, if that is actually the case. I hope I've misunderstood something.

        1. imanidiot Silver badge

          Re: Although...

          It's actually the other way around from what you are thinking. If YOU are registered to these services with a "dotted" email address, then someone can steal the account by creating an undotted email and then getting all of YOUR email. Including account password reset emails. Good luck getting your account back.

      3. tip pc Silver badge

        Re: Although...

        "If you are a gmail user, and you have an account on, say, Netflix and want to prevent anyone else taking out an account in your name you'd have to also take out accounts in the name of a.g.m.a.i.l.u.s.e.r@gmail.com (and every combination of letters and dots in your email address), plus all combinations of agmailuser+<insert any string here>@gmail.com. Clearly that's not possible.

        Google's "handy feature" is stupid."

        Do netflix and others not require the email account to be confirmed via some unique link before the account is activated?

        Yes someone could setup the account but they will never see any correspondence and the dotless account owner would be notified.

        I have seen that some sites are aware of googles dotless addressing and will strip the dot when checking for existing accounts and bleet if they have an existing account regardless of where or how many dots where entered in the submission. Its not a difficult regex to write to validate & sanitise the input prior to db lookup.

        This is nothing but a subtle fishing attack and will catch out those who are click happy, but is easily fixed by netflix, with no need for Google to disable what is a useful feature for some.

  4. Stuart Moore

    email verification?

    Does Netflix not require some kind of email verification? I can't see how this would work without the scammer first getting the mark to tell Netflix this is a valid email address

    1. Eddy Ito

      Re: email verification?

      Exactly this. Why is there a difference between someone registering for Netflix using the "actual" email address of say gmailuser@gmail.com and the "spoofed" dotted address g.mail.user@gmail.com if both addresses go to the same mailbox? Years ago I'd received several emails from Sony's Playstation online whatever it is asking about my account so I simply went online, reset the password, and closed the account. Note, the "attacker" didn't actually use dots, they simply signed up with my email address. Having said that, like someone mentioned in another thread, I use the dots to detect when someone is selling my address so I can point it out to them when I end my business relationship with them.

      I submit the premise of the headline "Netflix is secure" is false if they aren't validating email addresses at the time someone signs up.

  5. JAK 1

    Re: Will it really make any differece?

    When you setup an account with Netflix they will email you to check the address is valid

    If you receive an email saying, Welcome to Netflix click here if you've just joined

    don't click the email

    1. Simon Harris

      Re: Will it really make any differece?

      Is it possible to trick this?

      Sign up to Netflix with a throwaway email.

      Netflix sends the signup confirmation there.

      Do the confirmation on that address.

      Log in to the Netflix website using the throwaway address.

      Go to account settings and change the email address to a dotted-variant of that of your mark.

      That way your mark never sees the signup confirmation.

      1. MonkeyCee

        Re: Will it really make any differece?

        "Log in to the Netflix website using the throwaway address.

        Go to account settings and change the email address to a dotted-variant of that of your mark.

        That way your mark never sees the signup confirmation."

        But they do get the "you've changed your email to this one" message. Which should raise alarm bells.

      2. tip pc Silver badge

        Re: Will it really make any differece?

        Log in to the Netflix website using the throwaway address.

        Go to account settings and change the email address to a dotted-variant of that of your mark.

        That way your mark never sees the signup confirmation.

        An email confirmation is sent to the new address, with the account i assume in limbo until the address is confirmed.

      3. HugoToledoUSA

        Re: Will it really make any differece?

        Yes, I think this was the missing piece in previous descriptions. Good point. Thanks!

  6. Anonymous Coward
    Anonymous Coward

    TL;DR but what is it with ****ing developers

    that they seem to think they can improve on the thousands of man hours that go into RFCs ???

    If I had a penny for every bug I've fixed that originated in a bit of code some smart arse thought was better than tried and tested modules ... I'd have a lot of pennies.

    email, telephone and postcode (UK) validation should have been nailed 25 fucking years ago. So why do I still see code (badly) written last week ?

    Amateurs ....

    1. Anonymous Coward
      Anonymous Coward

      Re: TL;DR but what is it with ****ing developers

      The RFCs actually allows for a lot of freedom for what comes before the @, because it was written in an era when how people were identified on different systems could vary wildly. IIRC, it allows even case-sensitive identifier - so JOHN.DOE could be different from john.doe or John.Doe... just I think nobody in their senses ever used it.

      Why Google decided to implement GMail in a way that is different from what most people are used to think email works is the issue. Maybe they thought it was a smart way to avoid people register look-alike addresses for doing something nasty, maybe the reasons are others. Anyway, the main issue is having billions of addresses in a single domain, while people with the same name are not rare at all, especially in some countries.

      1. awy

        Re: TL;DR but what is it with ****ing developers

        Actually, case-sensitivity in the local part used to be quite common in the (early) '80s. I'm not actually sure when to fell out of fashion.

        1. Black Betty

          Re: TL;DR but what is it with ****ing developers

          When MS rammed case insensitivity down everyone's throats IIRC.

      2. Black Betty

        Re: TL;DR but what is it with ****ing developers

        *nix is case sensitive, but IIRC there was a big kerfuffle when MS got into the internet business and rammed case insensitivity down everyone's throats and broke a lot of expected behaviours.

        1. Anonymous Coward
          Anonymous Coward

          "*nix is case sensitive"

          But humans aren't. Sure, written language does use case to better distinguish some words - using some known rules, but spoken language isn't (good luck with voice activated commands...) - and trying to enforce case sensitivity on humans is one of the worst things Unix programmers could think of - a clear case when engineering laziness ("hey, string comparisons in English only are far easier this way!") took precedence over a comprehensive, future-proof solution (hint: in many languages you have to follow proper collation rules to compare strings, or you'll fail).

          I understand mail RFCs had to cope with the limitations and bad designs of many early operating systems. There's really no need to persist in those mistakes - software must serve humans, not vice versa.

          IIRC DNS was designed to be case-insensitive - think if you had to register all the permutations of a domain name. URL can contain case-sensitive parts (besides the domain name), because, of course, the Unix limitations when it comes to access the file system...

      3. Anonymous Coward
        Anonymous Coward

        Re: TL;DR but what is it with ****ing developers

        "maybe the reasons are others. "

        I am not saying it was a good idea but AIUI the reason was that many corporates had a firstname.lastname or firstname_lastname policy. Some used to alias all user names so that firstnamelastname, firstname.lastname and firstname_lastname all worked. Gmail dealt with this by ignoring dots and underscores, saving aliasing. Then the Law of Unintended Consequences ensued.

        As for capitalisation - many years ago an opposing solicitor complained that an email from our lawyer in NY had been "disrespectful". It turned out she had addressed it to grabbitrunne@sosumi, instead of GrabbitRunne@Sosumi. The pitfalls of email in the 20th century.

    2. Len

      Re: TL;DR but what is it with ****ing developers

      The American Express (I know, I know, I didn't choose to use the world's least supported CC, the company did) account page yesterday asked for my mobile number. They ask for country code and had the expected county code starting with a + already filled in. It then refused the accept the + as it only allows numbers. It also doesn't allow enough digits for a UK phone number and I couldn't progress without giving a number so now they have an incomplete phone number of me on file.

      Somehow I feel that only Americans have a good chance of leaving their mobile number on that system, the rest of the world will just have to be lucky I guess.

      (Don't get me started about the space in my surname, that I have letters in my postcode and it is longer than five characters, etc. etc.)

      1. Steve the Cynic

        Re: TL;DR but what is it with ****ing developers

        (Don't get me started about the space in my surname, that I have letters in my postcode and it is longer than five characters, etc. etc.)

        Pfft. If I give *truthful* answers to "security" questions, I can have problems:

        * My father has two middle names.

        * My mother's middle name has less than five letters.

        * My mother's maiden name has three common ways to spell it (two of which differ only by internal capitalisation), and I can't remember which is the right one.

        * Someone posted a screenshot on TDWTF from a site that tried to claim that a surname shorter than five characters was invalid. Mine is only four letters.

        At least where I live(1), post codes are five digits.

        (1) France.

        1. Nick Ryan

          Re: TL;DR but what is it with ****ing developers

          Names are often implemented extremely badly (and this schema promoted through training), where names fields are recorded in the database as "Title", "First Name" and "Last Name". This then introduces a whole word of pointless pain with validation and formatting where what is often really required is "Full Name" and "Salutation". Many non-English(ish) derived cultures don't have a concept of first name and last (family) name, many don't use them in the same order for full names and salutations and the minimum length of either component is often zero.

          I haven't come across a situation where my last name is rejected for length reasons though, and mine is four letters long. I am the custodian of a "medium" size database where I have just checked and the reported minimum stored length of the surname component is one letter.

        2. Anonymous Coward
          Anonymous Coward

          Re: TL;DR but what is it with ****ing developers

          (Don't get me started about the space in my surname, that I have letters in my postcode and it is longer than five characters, etc. etc.)

          ... then there was the time that I was using my surname in testing. Which is of the form "Xx Xxxxxxx" (think "Le Mesuirer" but not french, Sicilian). I discovered that someone (who tried to lie, but sourcesafe flagged them up) had the "bright idea" of writing a bit of "validation" which insisted that all names were saved as Xxxxxx Xxxxx.

          I flagged it as a bug and the bug tracking system duly recorded the BAs "oh do fuck off response" as they closed the report.

          Sadly for them - and the fingered developer - the software we were selling was used by private investment houses in the Channel Islands. Where it seemed customers are very fussy about how their names appear on their statements (for millions of pounds).

          Not only were the investment houses less than whelmed, they were incandescent with rage when they were told that the system had managed to lose the original data (by reformatting it) and they would have to conduct an exercise to recapture it. Without the customers knowing.

          Heads did roll. But - thanks to my recorded dire warnings when flagging the bug - not mine.

        3. onefang

          Re: TL;DR but what is it with ****ing developers

          "My father has two middle names."

          My father is worse, which of his names is first and which is middle depends on which authorities you ask.

      2. MacroRodent

        Re: TL;DR but what is it with ****ing developers

        They ask for country code and had the expected county code starting with a + already filled in. It then refused the accept the + as it only allows numbers

        Heh. Copy-paste coding. The net is rife with examples where a phone number is supposedly "validated" so that + in front is not allowed. Eg. https://stackoverflow.com/questions/2386054/javascript-phone-number-validation

        I too encounter this all the time. There is a legit workaround: "00" is usually acceptable as an alternative to "+", but not in all countries. In fact, the "+" notation was introduced precisely because of the variation in international prefixes. (But probably there are some moronical web sites that forbid also phone numbers stating with zeros).

        1. sweh

          Re: TL;DR but what is it with ****ing developers

          If you're using an American site, then you're better with "011" as the international access code.

          01144207....

      3. Anonymous Coward
        Anonymous Coward

        Re: TL;DR but what is it with ****ing developers

        I assume you were dropping the leading zero and not typing ±4407yournumber

  7. imanidiot Silver badge

    Ignoring dots when registering is a good idea. Doing so for receiving/sending mail however is not.

    As to why I'm saying they should ignore dots when registering? My dad has a mail address that is my.dad@provider.com. Someone else named the same has the address mydad@provider.com. Forget the dot and the emails go to the wrong person. The other address was registered 2 years after the "dot" account and should imho never have been allowed in the first place for being too similar.

    1. Olivier2553

      Gmail could prevent from registering an new account when the only difference from an existing account is some more or less dots.

      But silently discarding the dots in an email address is *WRONG*, completely fucked up.

      1. mmccul

        Except to the RFCs which actually make clear that it is permitted to do such.

        1. rdhood

          Don't click links in email....

          I'm just going to say the obvious: DONT CLICK LINKS IN EMAILS.

          This scam fails utterly if the user goes to the Netflix site and logs into their own account. It only succeeds if someone has clicked on a link sent through email.

          Just the other day, Google sent me a notification with a G**D*** link in it, and I sent them back a "WTF is this?" message. The average user CANNOT differentiate between a real/fake, and should just about NEVER click a link unless someone has specifically said to them: "I'm sending you a link". And that is what we ought to be teaching the average joe.

          1. Anonymous Coward
            Anonymous Coward

            Re: Don't click links in email....

            That's a great sentiment but I'm a lawyer who has spent the last 15 years trying to give 60 year old secretaries an inkling of what a phishing email looks/feels like - secretaries who have neither the inclination nor the incentive to embrace new technologies/developments - only for banks to 'modernise' by delivering their instructions by email. Emails which typically include a title comprising a surname and postcode with a body saying something like 'new case, click on this link to access'.

            I know I should now move on to a point to this rant but I'm not sure I have a coherent one.

            1. Doctor Syntax Silver badge

              Re: Don't click links in email....

              "only for banks to 'modernise' by delivering their instructions by email."

              Banks really should know better. Training their customers to be phished is just stupid beyond belief but is there one that doesn't do it?

              1. grumpasaur

                Re: Don't click links in email....

                Yes, some don't but some do and the direction of travel is for more emails like that.

                Many now outsource sending their instructions (which might sound like a very trivial part of the process not to be able to handle) but a few still use the post/DX. Until recently I would have held up Nationwide (a BS, I know) as a paragon of virtue but even it has switched to the dark side.

                Overall, banks don't really give a flying monkeys because they know there's a 99% chance they can recover any losses from the lawyer, no matter how stupid or irresponsible their own practices.

                I tried to avoid ranting but you did ask!

    2. Black Betty

      So no itsame99@domain.com?

      The vast majority of "meaningful" email names are variations on a theme.

    3. Rimpel

      >Ignoring dots when registering is a good idea. Doing so for receiving/sending mail however is not.

      If you ignore the dots when registering it makes no difference at all whether you ignore it for sending or receiving because there can't be a separate email address at that domain that differs only on punctuation.

  8. Anonymous Coward
    Anonymous Coward

    A Simple Solution

    Netflix should require email validation to start a trial.

    In the email: "Click here to start your trial. If you didn't sign up for a trial you can safely ignore this email".

    Or: Netflix ignores periods in addresses.

    Simples?

    1. Anonymous Coward
      Anonymous Coward

      Or: Netflix ignores periods in addresses.

      This would just shift the issue to non GMail systems where dots matter.... not everybody likes to let Google know about what they do on the Internet.

      1. VinceH
        Flame

        Re: Or: Netflix ignores periods in addresses.

        "Or: Netflix ignores periods in addresses."

        That would be Netflix and any other service that accepts perfectly valid email addresses, though.

        Google has the broken system, so it is Google that should fix it, not expect everyone else to comply to how they think the internet should work.

        Aside, in the article, it makes the point that Google have "promoted it as a useful feature" - except in the linked post, they give no reasons as to why it is useful. The person who wrote that Gmail blog post uses two bullet points to mention the "+extra" feature and the optional dots, then goes on to give examples of the usefulness of "+extra" (one off addresses that can then be filtered) but does not do the same for the dots.

        ISTM, therefore, the only usefulness of the optional dots is to use a regexp1 to filter out anything with a dot on the left of the @ - which, again, would really amount to other people (Gmail users) doing something to counter Google's brokenness.

        1. Assuming Gmail filters can use regular expressions. I've no idea.

        Small correction: When closing the window I put that post in I spotted the image at the bottom. So the one useful thing they could think of is for when people forget if there's a dot. Because their email clients won't remember it for them, presumably.

        1. Rimpel

          Re: Or: Netflix ignores periods in addresses.

          It does mean that I can't register an email address Vince.H@gmail.com and send phishing emails that tricks the recipient into thinking it is from you.

    2. This post has been deleted by its author

    3. JohnFen

      Re: A Simple Solution

      "In the email: "Click here to start your trial. If you didn't sign up for a trial you can safely ignore this email"."

      No. This should never be done. The email can provide a plaintext URL -- that's fine -- but it should never be made directly clickable.

      1. bd1235

        Re: A Simple Solution

        Not making the link directly clickable would then exclude half of the worlds population from being able to complete the task. There are many people who bumble along without really knowing what they are doing. I used to try to educate those that I had contact with but the task was too big and I gave up. Uneducated oldies are the worst. They just can't understand that they have to think before they click and clicking may have consequences.

        1. JohnFen

          Re: A Simple Solution

          "Not making the link directly clickable would then exclude half of the worlds population from being able to complete the task."

          Baloney. The email itself could even include instructions for that.

          But, at some point, people have to be expected to learn minimal skills for using the internet. The alternative is the nightmare version of the internet that it's slowly transforming into right now.

  9. Szymon Kosecki

    This is non story and no bug.

    It's not a Google promoted feature but a part of email address format RFC. The sole reason for its existence is exactly protection to protect from phishing and apoofing. That developer must have at some stage authorised additional Netflix account creation. No other way for this to work. He should be blaming himself and not the Netflix or Google.

  10. Olivier2553

    Trailing dot in the FQDN is ignored too

    I don't know if it is still the case, but at some stage, Gmail refused to send mail to "john@example.com." but "john@example.com" was OK.

    The difference? A dot after the .com bit.

    But example.com. (with the trailing dot) is a perfectly valid and resolvable name, why Gmail chosed to ignore it?

  11. Nick Kew

    Deja Vu

    I'm sure I've seen this issue reported before. Right here on El Reg.

    More broadly, it's an instance of a whole class of issues arising through different agents interpreting standards in different ways[1]. In some cases the standards themselves are at fault: when the HTTP standards RFC723x came out, they gave rise to some security reports to BOTH the major web proxies I'm involved with, changing SHOULD in RFC2616 (and earlier HTTP standards) to MUST NOT.

    [1] Or in the case of Microsoft's products that kicked off the whole email-virus thing twenty years ago, deliberately violating a security-critical standard and opening the gates to attacks described in some detail in the informational security discussion in RFC1341 (1992).

    1. sabroni Silver badge
      Facepalm

      Special version of Godwin's law on this site

      It's always, somehow, at the end of the day, Microsoft's fault.

      It's an article about Google mail not behaving nicely with Netflix, so obviously time to mention MS. Have you ever heard of the story "The boy who cried wolf"?

      1. Pascal Monett Silver badge

        Re: Special version of Godwin's law on this site

        Nah, this is more like "the boy who heard there was a problem, and immediately used it as an excuse to blame his ex".

  12. Andy Mac

    I haven’t trusted gmail since my xxx.yyy@ address starting receiving email for xxx@, which looked to be genuinely someone else’s account. I’ve heard of this happening to others too.

    1. sitta_europea Silver badge

      Never had a gmail account.

  13. Simon Harris
    Facepalm

    Oh dear...

    "Since the e-mail arrived to the correct inbox, and since it genuinely came from Netflix, Fisher came close to accepting its request that he update his details"

    i.e. lazily ignoring the first rule of 'account update' emails, and not going directly to the site and typing in your own login credentials to check your account rather than relying on what's in the email.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh dear...

      This is an excellent point, and without a doubt the most useful comment to this article.

      This looks like a legacy problem that Google let go because it's hard to fix without alienating (oh, an unintended pun: alienating / email aliases) some customers. But fix it they must.

  14. Pascal Monett Silver badge

    "Google, however, has promoted it as a useful feature"

    Um, maybe, but useful for who ?

    1. MrWibble

      Re: "Google, however, has promoted it as a useful feature"

      spam filtering.

      You have multiple email addresses, which can all be filtered. For example, johndoe@gmail.com can be my main account, but I use john.doe@gmail.com for online forms, and therefore filter any incoming emails with that name to "spam". Then on top of that I could use joh.ndoe@gmail.com to filter to a different folder, etc.

      Add in their ignoring of anything after the "+" sign (so johndoe+spammytwats@gmail.com is still delivered to me), and it's quite a powerful tool for inbox management.

      1. Simon Harris

        Re: "Google, however, has promoted it as a useful feature"

        In the days before it became easy to validate post-codes, my dad used to use the last letter of the post-code as a postal spam filter, and could easily identify which companies were selling their contact lists to spammers.

    2. mmccul

      Re: "Google, however, has promoted it as a useful feature"

      Me.

  15. Simon Harris

    Tip of the iceberg?

    I can think of many sites that require you to sign in with your email address (err.. including this one) rather than a separate user-name that could easily be tested for uniqueness.

    I wonder how many of those are susceptible to this particular attack?

  16. The Onymous Coward

    This <> a story

    This isn't even a story; it's part of RFC 822. I use this gmail feature all the time and find it very useful. Some use cases:

    - Abusing offers such as "10% off your first order when you sign up to our mailing list".

    - Managing multiple accounts on the same website, for example several personas on a single social media service.

    - I recently had a website refuse to forget an old billing address that I couldn't change or delete, which meant my card payment wouldn't authorise. Support was useless, so I just created a new account, with an extra dot in my email address.

    - Throwaway email addresses without having to use another service (mye.maila.ddre.ss@gmail.com)

    What's happened is that a developer who thinks he's too clever to fall for a phishing scam nearly fell for a phishing scam, so he's looking for anyone other than himself to blame.

    1. Anonymous Coward
      Anonymous Coward

      RTFM

      RFC822 was obsoleted by RFC2822 seventeen years ago. The relevant portion is here: https://tools.ietf.org/html/rfc2822#section-3.4.1

      1. Anonymous Coward
        Anonymous Coward

        Re: RTFM

        Interesting, but it confirms Onymous Coward's point. RFC2822 simply says the part before @ is a "locally interpreted string" which may contain alphanumeric characters and various punctuation including dots. It doesn't say how the email host should interpret the string.

        Is GMail's ambiguous interpretation RFC2822-compliant? Yes.

        Was it a mistake for the RFC to allow ambiguous email addresses? IMHO yes. Ambiguity leads to insecurity.

        Was it a mistake for GMail to implement this ambiguity the RFC allowed but didn't require? IMHO yes.

        Does GMail's ambiguous address parsing really protect you from spam? IMHO no, because the spammers know all about it and even exploit it.

        I don't know why GMail doesn't just change it. Who cares if it breaks things for some users? Never stopped 'em before!

  17. Anonymous Coward
    Anonymous Coward

    This is a useful feature as it lets me register multiple times for services (along with the email.address+whateveryouwant@gmail.com trick).

    It's also nice that I know all about a famous hairdresser that shares my name, and almost my email address. I've watched him move house from the East Midlands to the USA, got notifications whenever he booked a taxi, had invoices and photoshoot details. I've got all his personal details, bank account details, phone numbers, DOB, those of his wife too, his kids names.

    If that's not useful (to me) then I don't know what is.

  18. Simon Harris
    Facepalm

    Secure account.

    To make sure my Netflix account didn't fall prey to this gmail issue, I signed up with my Yahoo! email. Now I'm secure...

    Oh... wait.... Yahoo! ?

  19. Anonymous Coward
    Anonymous Coward

    I've reset the password on various services where people have done this - however, be aware that they can't possible have the non-dotted version of my email address so that's not the issue. The issue is they've made a typo in the email anyway.

    For example, if I was joe.bloggs@gmail.com and I get a Pizza Hut email to joebloggs@gmail.com then that's not because someone has registered joebloggs. They can't, Google won't let them because I'm already joe.bloggs.

    They must be joebloggs1, or j0ebl0ggs or something and they've typed it in wrong. This will always happen, regardless of how dots are processed.

    As for "squatting" and who recognises what as who. Nobody will EVER take an email address as a unique ID, it's perfectly legal to have an email address that isn't my name.

    1. Doctor Syntax Silver badge

      "Nobody will EVER take an email address as a unique ID"

      Maybe I've missed the irony in your post but if not what's the ID you use to sign in on el Reg?

      I've got a login at IBM which uses an email address based on an ISP I left probably a decade ago.

  20. kain preacher

    I had some thing weird happen 4 months ago.. GMail was asking me to take ownership of an email address that was similar to mines only mine is a doted email address.

  21. Tim 11

    The fault is with Netflix

    Having a many-to-one mapping between email address and mailbox is not the problem; there are plenty of ways to do that even without this gmail feature.

    The fault is entirely with Netflix - they should not allow someone to sign up for a site without validating the email address to ensure the person signing up owns that email address.

  22. Anonymous Coward
    Anonymous Coward

    Don't click links in emails

    Weren't we all taught a long time ago to never click links in emails?

  23. ashton

    So netflix doesn't require e-mail verification ?

    I mean i've had quite a bit of mail for some other people landing in my account, including someones itunes account and someones phone bills.. I can only assume it was either mistyped or someone was too retarded to remember their e-mail adres, that said i always wondered how dumb were services who did it without confirmatione e-mail..

    Didn't expect netflix to be this idiotic either.

  24. mmccul

    Unvalidated email is the problem

    Why no one seems to be identifying the real source of risk, which is that Netflix allows you to use an email for contact and billing without verifying that the owner of that email address actually intended to do such a thing is beyond me.

    This is simply, Netflix failed to perform due diligence on the account when it was created.

  25. Anonymous Coward
    IT Angle

    We'll be using Ivp6 as name s next

    e.g Mr Richard fd12:3456:789a:1::1

    since there are so many addressable numbers we could probably use it for names.

    1. David Nash

      Re: We'll be using Ivp6 as name s next

      I did see a proposal a few years ago that everyone uses a phone number as their unique user identifier, since they are pretty much universal and unique now.

      1. Doctor Syntax Silver badge

        Re: We'll be using Ivp6 as name s next

        "phone number as their unique user identifier, since they are pretty much universal and unique now."

        Something must have gone wrong with with the allocation. My phone number and SWMBO's are identical.

  26. Anonymous Coward
    Anonymous Coward

    no longer an issue

    This is no longer an issue for new gmail accounts I have a dotted gmail account lets call it nick.smith@gmail.com I can log in using nick.smith or nicksmith

  27. Randy Hudson

    What is secure about Netflix allowing you to register an email address that you don't own?

  28. GingerOne

    Surely this is Netflix's problem. They should be confirming that the email address is correct before asking for payment details?

  29. PSX

    Google claim this but are incorrect

    google claims that an email that with first.lastname@gmail.com is the exact same email as firstlastname@gmail.com but they are wrong.

    I daily get emails for a person with the same name as me - I've been able to follow his life around for the last few years based on what he signed up to and hes currently working in America after emigrating there from Ireland some time ago(he also just bought an iPhone as I got the confirmation email numerous times before he gave up and used a different one). I've actually spoken to him as I did get some urgent contracts some years back and they included his phone number.

    Oddly he never gets emails meant for me (I have a dot in my gmail address where he doesn't)

    1. Dan Mullen

      Re: Google claim this but are incorrect

      He has simply entered your email address when signing up/buying things. That's why you receive emails intended for him but he doesn't receive emails intended for you. It's the same as him entering your home address and you receiving the stuff he's bought!

      This is the entire problem, as a few others in the comments have alluded to. When signing up with an email address - on Netflix or anywhere else - the service should send a verification email. If you signed up, verify the account. If you didn't, don't. It's as simple as that.

      This is a non-story. Either Netflix didn't require verification when the dotted email address was used to sign up (or an existing Netflix account was changed to the dotted email), or the developer in question has at some point in the past accidently verified the account. Either way, the blame is not with Google. I'm surprised at the number of people on here that think Google is the one at fault!

    2. russmichaels

      Re: Google claim this but are incorrect

      I also have a gmail address with a DOT only because it was not available WITHOUT a dot, as it was taken by someone else.

      So two gmail addresses belonging to 2 different people, the only difference is the dot.

      Now I did get that gmail address quite a few years ago, so they must have changed this functionality since then, causing addresses with DOTS to just be an alias of the address without. In which case, hardly surprising that people have started getting other people's email.

  30. JohnFen

    GMail is secure now?

    When did they change it so that Google can't spy on the contents of your email anymore?

  31. Anonymous South African Coward Silver badge

    Ho hum.

    So.

    Forewarned is forearmed, although those people who are not savvy enough to spot that extra dot will have some issues.

    Sure, there are benefits of having joe.bloggs@gmail.com and joebloggs@gmail.com, BUT the risks far outweigh the benefits. So, from my side I say that it is a huge risk, and not something I need in my life.

    Time to go hunting for a different email provider then.

    1. Dan Mullen

      What's the difference with someone just entering your actual, undotted email address? I'm baffled why people think Google is at fault!

  32. mark l 2 Silver badge

    I have still got a Googlemail.com email address, and last time i tried the dots in the email address didn't work for that one, the mail got bounced back as undelivered, but on another address ive got which is a gmail.com the dots did work.

    I used Linux daily and the case sensitivity is a pain, the Amiga OS was very Unix like but they decided to make it case-insensitive with some backward compatibility to support case sensitive files copied from Unix. I rather hoped that this approach would be brought in to Linux to phase out case sensitivity.

  33. TheFiddler

    Guess this has some benefits

    So if you register alongenoughemailaddress@gmail.com you can then work your way through many free 30 day trials all by working a load of dots through your email address.

  34. dmacleo

    I had same email 2 weeks or so ago. it was correct address yet I could see on my xeams proxy spam server that there were some (for my domain) NOT using period coming from a gmail server. didn't really pay to much attn to it as it never reached exchange server.

  35. Doctor Syntax Silver badge

    “It's an example of two systems without a security vulnerability coming together to create a security vulnerability.”

    Disregarding valid characters in an address looks like a security vulnerability to me if it allows scams like this.

  36. Malignant_Narcissism

    I brought this *very* thing up with Google six years ago. I still await an answer.

  37. Anonymous Coward
    Anonymous Coward

    Change payment details without password?

    If Netflix are honestly sending out emails that request updated credit card details without requiring you to log in (which the “victim” couldn’t do because they don’t know the password for the fraudulent account) then there are far bigger issues here than the handling of dots in email addresses!

    Whilst I’m sure there are probably ways of abusing gmail’s ignoring of dots (not to mention the ‘+’ behaviour) in addresses, I suspect (or sincerely hope) this isn’t one of them.

  38. david 12 Silver badge

    Netflix

    This is an information risk because Netflix alows different people to register with only the dot difference in the first part of their mail address.

    Netflix thinks that

    netflix.suck@gmail.com

    is different than

    netflixsucks@gmail.com

    Why all the hate for gmail? It's netflix that sucks.

    1. Anonymous Coward
      Anonymous Coward

      Re: Netflix

      No, it's not Netflix's responsibility to know every email host's internal naming rules. That's impossible. Netflix should verify email addresses (I assume they decided payment info was adequate user verification) but it was GMail that "helpfully" redirected netflix.sucks to netflixsucks until a scammer signed up as netflix.sucks. Gmailsucksmore.

      The RFCs suck even more. Most internet protocols, old and new, have these ambiguities. The internet was designed to be flexible, not secure. It was only a research prototype, but it seemed to work well enough, so nobody bothered with version 1.0. If GMail is in perpetual beta, Internet is perpetual alpha.

    2. El Biggles

      Re: Netflix

      Read what you typed, the two addresses ARE different without the dot in the first part. Actually this is a very good illustration of how easy it is to mis-type an email address.

      1. tip pc Silver badge

        Re: Netflix

        its funny that so many people are commenting on this yet no one has checked by signing up to netflix with a spare account, and seeing if its actually possible to do as suggested.

        There should be no way for someone to login to netflix and add their CC details to an account they don't know the password to even if they know the account name and have a link notifying the CC is invalid and a new card needs to be entered.

        Think about it.

        to change the CC you need to login to the site using the spoofed email with a dot in a different place and enter a password. As you won't know the password you can reset it and add the CC but then the person who spoofed you will then need to add the new password to gain access which will fail as they won't know it. At worst you will now have 2 NetFlix accounts which Netflix can easily refund the new one once you notify them.

  39. Twilight

    I would be perfectly happy to have gmail stop ignoring dots in email addresses IF all sites actually supported valid email addresses with + in them. It still baffles me the number of email validators on many sites (including government sites) that claim + is not a valid character in an email address.

    Over the years, I've gotten lots of emails for lots of people that clearly typo'd their email (and not just a dot difference). I've gotten email from lawyers, order details for an artist in CA, email from doctors, and many other probably important emails. In some cases, I did attempt to notify the sender to the error if it seemed important. By far the most annoying was somebody signing up for a TON of payday loan sites using my email address (fortunately Google sent most of them to spam even without me doing anything).

  40. Miss_X2m1

    Instagram too.

    Happened to me too and I don't have an Instragram account. I would just send the faulty emails to postmaster@gmail.com and let them know.

  41. Arachnoid

    Yahoo accounts

    Have a similar working arrangement.You can use accountname-netflix@yahoo.com which will appear in your accountname@yahoo.com email account and again is a good way to see who has access to specific sign up details as it ignores anything past the dash.

  42. g4ugm

    Its "almost" fixed

    you can no longer register an address with extra dots. Note what google does is perfectly legal in internet standards terms. The mail standards are clear. what is to the left of the "@" can be interpreted in whatever way you want. Most systems already ignore upper/lower case but some don't, so Dave & dave are different...

    1. Anonymous Coward
      Anonymous Coward

      Re: Its "almost" fixed

      I did not know that some email systems distinguish between UPPER and lower case.

      I have always told people that emails are not case sensitive.

      You learn something every day.

  43. Anonymous Coward
    Anonymous Coward

    I, like others here, have been getting emails from companies that I have no dealings with.

    There is a driving school owner in Yorkshire that I could have burgled when he was on holiday.

    There is a lady (I am a bloke) that I could have screwed up her Sky installation.

    There is also a person or persons in Australia who have used my gmail account to sign up for all sorts of things. Gas, Electricity, Termite infestation report, etc...etc..

    Some of the OZ ones have no email contact information on their emails or websites, just a 'local' telephone no. Not local for me, so no calls. Others sites, I have emailed them explaining the problem and advising them to sent a letter to their customer(s).

  44. AliC33

    My Gmail has a dot in the local part. On several occasions in the past I've received emails that were clearly intended for someone else. If I remember rightly their Gmail address was the same as mine without dots.

    1. mhenriday
      Linux

      Sounds strange to me,

      AliC33 ; as far as I know, if one has opened an account - say ali.c@gmail.com - no one will be able to open a similar «dotless» account, of type «alic@gmail.com». Your experience seems to differ from my own and from my understanding of the manner in which Gmail accounts are supposed to work....

      Henri

    2. RFC822

      I'm in the exact same position.

      I have <initial>.<initial>.<surname>@gmail.com, and I get a reasonable amount of email (including when he signed up for Netflix!) which is meant for <initial><initial><surname>@gmail.com.

      I've no way of contacting him, as I don't have his other contact details, and when I try to send email to his <initial><initial><surname>@gmail.com address, it ends up in my inbox :-(

  45. Netbofia

    Why doesn't Netflix validate the email address?

    Why doesn't netflix simply validate the email given on sign up. If you can't prove it's your then u can't sign up with that email address. Problem solve.

    Or am I missing something?

  46. Anonymous Coward
    Anonymous Coward

    Don't get the issue here, security is becoming so much FUD with 'researchers' finding little things to get printed!

    Say my email is a.user@gmail.com

    If someone were to sign up with Netflix with the account auser@gmail.com surely I would get an email to confirm my account and it shouldn't work till I do confirm the account... If that isn't the case then surely this is more an issue with Netflix! And surely if someone were to ignore various emails to say they have created a new account that they never actually did, then to I assume follow a link in the email (is there not any authentication.....) and enter their card number then it's a) Netflix being very poor by design and b) Users being stupid to blindly enter their card number!

  47. russmichaels

    If someone creates a netflix account or any account using a gmail address that is actually an alias of yours, then you are going to get the welcome email of the newly created account, which you would have to also completely disregard in order to fall for this. The person who created the account would never get that email because they do not own that email address.

    Also doesn't netflix send out an account activation email to verify the email address?

  48. rgiersig
    WTF?

    EXCUSE ME?!

    How is Netflix considered secure if they DON'T VALIDATE THE E-MAIL-ADDRESS?!

    If you sign up for a new account the first thing that needs to be done is to verify the e-mail-address before any other action can take place. Because your e-mail-address is your identity. It is highly unprofessional to perform any transactions before the identity isn't confirmed. And here you can see, why...

  49. Strangelove

    Well as a happy user of the dots and the plus signs, I must say I like gmail the way it is, but then I have long name with a hyphen in it that makes it quite rare.

    Surname-mine+me Surname-mine+wife Surname-mine+child all land one one place for easy onward sorting.

    Moving the dots when signing up for spam-like things makes it easy enough to auto-filter on the dots to put it in the junk mail pile.

    But I came to Gmail from using freeserve that did the extension into may names even more uniquely, and was pleased to find that it was at least possible.

    Less pleased to see that despite

    "+" and "-" signs being legitimate characters in Email addresses a number of organisations seem unable to handle them, including my bank.

    Previously

    Mynet@ freeserve.co.uk

    would pick up

    me@mynet.freeserve.co.uk

    you@mynet,.freeserve.co.uk

    anyoldthing@mynet.freeserve.co.uk

    or I could log in with one of those and see just the filtered view. If only something like that had become an agreed standard.

  50. johnny raindrop

    I immediately assumed "well, gee; the RFC (2822) should answer this definitively". So I looked and found out that "The local-part portion is a domain dependent string. In addresses, it is simply interpreted on the particular host as a name of a particular mailbox." There is no definition of how that interpretation works. I also thought emails were always lower case, but then realized that _my_ ISP says it translates to all lower case, but there is no such requirement in the RFC.

    I still think it is bad practice to blur something that people think of as a unique identifier.

  51. AldeBaran

    This attack doesn't make sense.

    This attack doesn't make sense.

    Surely you would need to know the other account's password to log on.

    I just set up a netflix account to test and even clicking on the link in the mail takes me to an authentication page.

    Also, even if you do enter your details into the wrong account - the best the attacker will be able to find out is the truncated number of your card which won't be very useful (I know it is not nothing but it is really not worthwhile jumping through multiple hoops to get one part of one person's card).

    I wasn't able to test whether:

    1. You are already authenticated to Netflix on your own account;

    2. Email arrives and you click the link which takes you to a different Netflix account without needing to authenticate.

    3. You are now logged into the new account.

    I doubt this would work but if it did then the issue would be on Netflix's side and not Google's and it would be serious enough that they should fix it.

    Otherwise - move along - you are not being phished. You are safe. There is no way your card details are going to a third party (through this method). Rather look out for real phishing emails.

  52. mhenriday
    Boffin

    Au contraire,

    I've always regarded Gmail's refusal to recognise dots in email addresses - or rather, refusal to allow a new account with the address «john.doe@gmail.com» to be opened in the event that an account with address «johndoe@gmail.com» already exists - as a valuable safety feature, given that inadvertent omission or adding of dots in such addresses is one of the most common errors made by users. Gmail's praxis renders it impossible for someone who notes that John Doe can be reached at johndoe@gmail.com to open new accounts with such addresses as «john.doe@gmail.com» or «j.ohndoe@gmail.com», etc, etc, and thereby intercept post meant for the first-named....

    Rather than Gmail ceasing this practice, it would, to my mind, be far better were other email and other service providers to introduce it....

    Henri

  53. Miss_X2m1

    Instagram also.

    I received an email from Instagram telling me to reset my password and this email was sent to my gmail account. It too had a dot in the the middle of my gmail handle. Problem is, I don't have an Instagram account so the scum bag who was trying to access, what they thought, was my Instagram account was probably chasing nothingness.

  54. techcafe

    Netflix could simply reject Gmail accounts containing dots, or strip away the superfluous dots from Gmail addresses, like Google does.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like