Obscure E-Mail Vulnerability

This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so bruce.schneier@gmail.com is the same as bruceschneier@gmail.com is the same as b.r.u.c.e.schneier@gmail.com. (Note: I do not own any of those email addresses—if they’re even valid.) Netflix doesn’t ignore dots, so those are all unique e-mail addresses and can each be used to register an account. This difference can be exploited.

I was almost fooled into perpetually paying for Eve’s Netflix access, and only paused because I didn’t recognize the declined card. More generally, the phishing scam here is:

Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.
Create a Netflix account with address james.hfisher.
Sign up for free trial with a throwaway card number.
After Netflix applies the “active card check”, cancel the card.
Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.
Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.
Use Netflix free forever with Jim’s card **** 1234!

Obscure, yes? A problem, yes?

James Fisher, who wrote the post, argues that it’s Google’s fault. Ignoring dots might give people an enormous number of different email addresses, but it’s not a feature that people actually want. And as long as other sites don’t follow Google’s lead, these sorts of problems are possible.

I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who—if anyone—has the responsibility of fixing it.

Tags: email, Gmail, phishing, vulnerabilities

Posted on April 9, 2018 at 6:30 AM • 109 Comments

Comments

Erik • April 9, 2018 6:47 AM

I have encountered the Stupid User Trick version of this problem with gmail.

There is a person whose work email address is apparently “w.essing@” whatever the domain is.
Mr. Essing routinely gives out “w.essing” as his personal gmail address.

Without the dot, that’s my gmail address.

Al his correspondence is in German, too, which I do not speak or read.

Brian • April 9, 2018 6:49 AM

Wasn’t this called out as being fake, because in order for the credit card to be entered on the account in the first place, the person who created the account would need access to it, and since the netflix account verification email for james.fisher@gmail.com would go to jamesfisher@gmail.com, the account would never have been properly set up.

Just sayin’.

Yes, there is the scenario where the account could have been set up with another email address, and then changed to james.fisher@gmail.com later, but again, a notification would be sent that the change was made. I dunno. seems fishy.

Juergen • April 9, 2018 6:51 AM

The problem is clearly on the side of Netflix – they create an account without verifying the email adress of the customer.

The handling of the local part is something every mail server operator can decide on himself – 3rd parties MUST NOT assume anything about the process. There’s RFCs that clearly specify this. And of course there’s the good practice of verifying contact details BEFORE activating the account and delivering the service.

r2d2 • April 9, 2018 7:02 AM

That did not seem an example of “two systems without a security vulnerability”. Counting the user, there were three systems, all with numerous holes.

Mervyn Bickerdyke • April 9, 2018 7:17 AM

@Erik:

If the GMail-Adress without the dot is your GMail address, it is also your GMail address WITH the dot. Because dots are ignored.

It doesn’t matter if German Herr Essing gives out w.essing or wessing as his GMail account – it’s YOUR account in both cases. So he either gives out the wrong domain or forgets a suffix like w.essing123

In a related note:

The ignored dot is to avoid missent email when people forget the dot. The feature to give you multiple throwaway addresses would actually be the +-suffix. name+something@ is an automatic alias for name@

Of course this only is useful if websites accept name+1@ and name+2@ as different email addresses…..

cate • April 9, 2018 7:19 AM

This is a well know problem, and it was used already (nearly) 10 years ago. Note: various mail servers handle suffixes (usually which start with a dash) in a similar manner. And there are many throw away email providers (in past often used by forum spammers), so also a unique email do no solve problems.

RealFakeNews • April 9, 2018 7:21 AM

Surely Google are at fault for ignoring the period? It’s a legal character in e-mail addresses, so ignoring it is the problem??

Brian • April 9, 2018 7:21 AM

@Mervyn Bickerdyke

gmail doesn’t care for dots so it can scrape email address from the web where people put in obscure dots to thwart bots.

At least that’s what I’m going with 😛

The dots are also useful to help sort email. Give out different iterations to different sites/people and filter accordingly with rules.

Martin • April 9, 2018 7:25 AM

@Erik: That’s funny, I have the exact same issue, also with a German. I even ran into the issue of sites not verifying emails,. So far he has created accounts on Dropbox and Aliexpress.

Kai • April 9, 2018 7:34 AM

This is one of my main gripes with Google. They’re now big enough that they can do whatever they want and ignore the bits of published standards that they don’t like.

Things like being blind to dots in email address, labels not quite being like standard IMAP folders, contacts behaving weirdly when synchronised via CalDAV etc…

Yet, no-one will, or even can, take them to task about it because – well, what are you going to do?

Zé • April 9, 2018 7:41 AM

I know of two users it two different countries. One has a gmail address the other has the “same” gmail address just with a couple of dots. The email sent to the one without dots was also arriving at the “dots” inbox. I found out when the “dots” gmail user reached us. Nowadays you cannot create a gmail address with dots (or without) that collides with another but looks like that was possible in the past. It’s unacceptable the email sent to one user lands on someone else’s mailbox… Password reset link interception just got easier.

TRX • April 9, 2018 7:47 AM

That would certainly explain why I was never able to exchange email with a friend who had a gmail account. Since I got my first modern internet address in 1992 (as opposed to the old bang path address I had before) I’ve had problems either sending or receiving mail from some hosts, even before every hop set their spam filters to “NUCLEAR!”

Until quite recently, I always used firstname.lastname at whatever mail host I was using.

So Google (and others?) are ignoring or conflating valid email addresses. No wonder email is so unreliable nowadays…

dosentmatter • April 9, 2018 7:55 AM

if you have gmail address like bruce@gmail.com you can use it wit anything you want after the plus sign. Like bruce+netflix@gmail.com, bruce+amazon@gmail.com, so you will know where your mail leaked or from where spam coming. And it’s been since gmail start, so it’s definitely Netflix problem about not verifying email address.

FRex • April 9, 2018 8:45 AM

It’s like gestalt: the whole (accidentally paying for someone’s Netflix) is different than the sum of its parts (Google dots and Netflix not verifying an email, two seemingly non-issues).

On the other hand, this feature (dots in the email) is so obscure as to border on useless. It’s like pressing ? on gmail.com to bring up a sheet of all key shortcuts. Most people don’t know about those features.

The dots feature is also quite useless for separating the name from surname (the only non-hacky use I can think of, which in itself is quite niche, many people use one letter of their first name + entire surname or just some custom one word moniker) because if that separation is not obvious to the recipient at a glance already without any caps or dots then it’s probably a language barrier so strong that they won’t pronounce or remember then full name easily no matter if they get xxx.zzz xxxzzz or Xxx Zzz.

Chris • April 9, 2018 9:04 AM

Ive used this feature in the past so its a feature some of us want.
You can go a step further and add additional gmail email addresses by using a “+” to add a suffix to your account name.

So if your gmail account is bob@gmail.com, so is bob+netflix@gmail.com or bob+anything else (or b.o.b+anything@gmail.com)

Janos • April 9, 2018 9:18 AM

Related to this post, we looked at email typosquatting in this paper:
http://janos.szurdi.com/content/emailtypo-imc17.pdf

It looks like that users accidentally send highly sensitive information to typosquatting domains.

AlanS • April 9, 2018 9:53 AM

@Erik, Mervyn, Martin

I beleive that in Germany and the UK they used googlemail.com for a while because there were IP issues related to the gmail.com domain. username@gmail.com, username@googlemail.com, user.name@gmail.com, user.name@googlemail.com, and variants with the dot in different places should all be valid addresses for the same account. As Mervyn points out above, you can create further variants by appending + and some other text.

I routinely get gmail for other people. Usually the e-mail is from a business, often a receipt for some product or service a person with a name similar to mine has bought (usually same last name and initial but different first name). This appears to be a genuine mistake in many cases. In other cases I suspect my e-mail address was given out because it looks like it might be an e-mail the person owns and he or she (genuine mistake or not, the person is nearly always a she) doesn’t want the hassle of marketing e-mails from a particular business. In some cases I have received e-mail from several businesses for a particular person so presumably the person purposefully gave out the wrong e-mail address.

Jcu • April 9, 2018 10:00 AM

Surely Google are at fault for ignoring the period? It’s a legal character in e-mail addresses, so ignoring it is the problem??

They can take the fault for ignoring the period, but it’s not a problem. As Juergen wrote, the local part is theirs to handle as they wish. They might also choose to make them case-insensitive (technically, they’re assigning 2^N local-parts to the same mailbox, because the standard says it’s case-sensitive). And it’s common to ignore ‘+’ and anything following, which is similarly non-standard.

Oliver • April 9, 2018 10:11 AM

Hi Bruce

Hold on a minute here!
Isn’t there such a pesky thing as a RFC that defines how email and email adresses are supposed to be used?
I do not think that the “dot” is any more special that other latin letters in email adresses!?! At least not special enough to be merely ignored?
And that it is supposed to be interpreted by the MTA?

Then, if this is the case, then this is clearly a fault on GMAIL’s part, isn’t it?

Cheers, oliver

PS: sheeeesh, there even is a RFC for CPIP, for chriss sake!!!

Marc • April 9, 2018 11:01 AM

I’m all for holding Google accountable when appropriate, but… I don’t see the argument for this being a problem on Google’s part. You can send me mail with or without the dot in my Gmail address; I get it either way. Essentially, it looks to the world+dog as if I have multiple addresses – but they all come to me.

Netflix, on the other hand, allows you to use an email address as your username and doesn’t make you verify it.

Tell me again why this is Google’s problem?

Furthermore:
He got an email telling him that his credit card had been declined. To fix it, he had to sign in to the Netflix account, no? Did he just guess the password? If this story is true, it means that Netflix security is even crappier than he thinks Google’s is.

Security Sam • April 9, 2018 11:37 AM

According to Google they are not ignored:
https://support.google.com/a/answer/33386?hl=en

Jordan • April 9, 2018 11:37 AM

The local part of the address is entirely owned by the recipient mail system and has whatever semantics that recipient system wants. It could be case sensitive or case-insensitive. It could treat punctuation as significant, or not. It could treat particular substrings as significant, or not. It could be completely ignored and all mail delivered to a single mailbox – actually, quite a common and useful configuration.

Google is doing absolutely nothing here that is not allowed by the standards.

(The original relevant section is RFC 822 section 6.2.4. The most recent relevant section is RFC 5322 section 3.4.1. Both say that the local part is interpreted by the destination host. RFC 5321 explicitly says that no other host may interpret it.)

Mervyn Bickerdyke • April 9, 2018 11:40 AM

@Brian:

gmail doesn’t care for dots so it can scrape email address from the web where people put in obscure dots to thwart bots.

That would be stupid at both ends.

If you are assuming that you can “obscure” your email with dots, then you are actually counting on the dots being ignored or else emails sent to that address would not end up in your mailbox but in some other guys inbox because you willingly giving out a wrong address.

And on the other hand… could you explain in more details why Google would need to scrape GMail adresses from websites??

The dots are also useful to help sort email. Give out different iterations to different sites/people and filter accordingly with rules.

The + is meant for that. The ignored dot is mainly to catch typos.

Random1 • April 9, 2018 11:56 AM

@Marc – I believe that the Netflix part of this is that Netflix sends a user a custom URL to update billing info. In the interest of customer retention & revenue, they want to make this as easy as possible… so no password. Because they know they sent it to the right user’s E-Mail (right? right?)

Always prompting for a password when getting into account settings would indeed fix it, as the fraudster doesn’t know the victim’s real password. I’m quite sure Netflix could measure the dollar value of what this minor hassle would cost them, in customers that let it go for a month or two (or forever).

Mervyn Bickerdyke • April 9, 2018 12:03 PM

@Security Sam:

According to Google they are not ignored:
https://support.google.com/a/answer/33386?hl=en

that is a suppurt article for GSuite and NOT Gmail.

GSuite charges you per registered user/email and may have an intrest to not allow tricks to create multiple emails per mailbox….

From your link: “Periods (.) are not ignored as they are in a gmail.com account.” should indicate that this is not about gmail.com

David Rudling • April 9, 2018 12:21 PM

@Oliver
I believe you have RFC 2822 in mind.
Section 3.4.1 gives the “addr-spec” specification.
“An addr-spec is a specific Internet identifier that contains a
locally interpreted string followed by the at-sign character (“@”,
ASCII value 64) followed by an Internet domain. The locally
interpreted string is either a quoted-string or a dot-atom. If the
string can be represented as a dot-atom (that is, it contains no
characters other than atext characters or “.” surrounded by atext
characters), then the dot-atom form SHOULD be used and the
quoted-string form SHOULD NOT be used. Comments and folding white
space SHOULD NOT be used around the “@” in the addr-spec.

addr-spec = local-part “@” domain

local-part = dot-atom / quoted-string / obs-local-part

domain = dot-atom / domain-literal / obs-domain”

It goes on to say this about the “Local-part” which is the bit causing trouble here.

“The local-part portion is a domain dependent string. In addresses,
it is simply interpreted on the particular host as a name of a
particular mailbox.”

Unfortunately that is what there is. RFCs RFC2045, RFC2046, RFC2049 in the MIME document series seem to assume RFC2822 has this point adequately covered.

“…a domain dependent string…simply interpreted on the particular host as a name of a
particular mailbox…” seems to give Gmail the freedom to do what some might consider something stupidly dangerous to security. Caveat emptor when it comes to Gmail, it seems.

David Rudling • April 9, 2018 12:24 PM

@Jordan
You beat me to it while I was typing – and said it much more economically !

Jordan • April 9, 2018 12:27 PM

I just created (and cancelled) a Netflix account and confirmed: they do not verify the address used.

However, they do send a “Welcome” message, so there’s at least a hint that something … interesting … is going on.

Amusingly, my “goodbye” message was sent three minutes before my “welcome” message.

justina.colmena • April 9, 2018 12:32 PM

Technically a dot or period is not supposed to be permitted to the left of the “@” in an e-mail address, although e-mail addresses used %-hacks and !-paths in those days before DNS was common.

dj • April 9, 2018 12:55 PM

Having problems with someone constantly attempting to take over my Google and social media accounts using this. Also being signed up for expensive and useless services.

It seems the dot form gets priority over the not-dot form.

It’s ages old and well-known. Apparently this is a WONTFIX.

Best thing to do may be to claim both the non-dot form and the dot forms if you need Gmail addys.

Impossibly Stupid • April 9, 2018 1:01 PM

Nobody involved seems blameless. Netflix is wrong to use an external identifier for its accounts, and doubly wrong to have it be a form of contact info (email in this case, but the same issues would arise if they used phone numbers without normalizing the text). I know that it’s a common way to create accounts these days, but it is not something any competent security professional would call best practices.

But they send out a “Thanks for joining” email, and many other emails that should make it obvious that a new account is being set up fraudulently. If the user is phished though the entire process that results in them paying for two (or more) accounts and they never question it “forever”, that’s their own stupidity.

And Gmail is a complete mess for all sorts of reasons. In this case, it’s just so big that it makes it really easy to find an active gmail.com account to phish via a dictionary attack. The best practice is to simply not allow Google to be in control of your contact information like that. Go with an email provider that has a smaller attack surface.

Jordan • April 9, 2018 1:02 PM

Dots most certainly are allowed before the atsign, along with quite a few other punctuation characters.

RFC 5322 and its predecessors make this absolutely clear (reordered for clarity, note the definition of dot-atom-text):
addr-spec = local-part “@” domain
local-part = dot-atom / quoted-string / obs-local-part
dot-atom = [CFWS] dot-atom-text [CFWS]
dot-atom-text = 1atext (“.” 1atext)
atext = ALPHA / DIGIT / ; Printable US-ASCII
“!” / “#” / ; characters not including
“$” / “%” / ; specials. Used for atoms.
“&” / “‘” /
“” / “+” /
“-” / “/” /
“=” / “?” /
“^” / “_” /
“`” / “{” /
“|” / “}” /
“~”

The quoted-string production adds a mechanism for including all other ASCII characters. (Treatment of non-ASCII characters is left as an exercise for the reader.)

In fact, RFC 822 – the original specification for modern Internet e-mail – explicitly gives First.Last@Registry.Org as an example.

(The specification does not allow two dots to appear next to each other, using dot-atom form. To have two dots next to each other you must use quoted-string form. That seems like an unnecessary restriction.)

Who? • April 9, 2018 1:18 PM

@ justin.colmena

Technically a dot or period is not supposed to be permitted to the left of the “@” in an e-mail address, although e-mail addresses used %-hacks and !-paths in those days before DNS was common.

Ah, the good old days of UUCP email. Technically “!” was not being used before the “@”; in fact there was no “@” at all on the UUCP email system, an UUCP email address was something like host1!host2!host3!username—but usually longer. Sometimes I would like to return to the first years of the Internet. At that time Internet was a network for civilized people.

Ryan • April 9, 2018 2:15 PM

He got an email telling him that his credit card had been declined. To fix it, he had to sign in to the Netflix account, no? Did he just guess the password?

According top the original blog, he used the password recovery feature to gain access to the Netflix account. Honestly you have to ignore a lot of warning signs in this scenario before you get to the point where you enter your credit card info into someone elses account.

just me • April 9, 2018 2:40 PM

Wait, what?

@Zé: if it is true that Google at one time differentiated accounts named username and user.name, and then at some point began equating them, then they obviously created collisions retroactively in their existing namespace. No matter what they are allowed to do by RFC, that’s a boneheaded bug, if that’s actually what happened — a boneheaded bug with serious privacy implications.

Peter Boughton • April 9, 2018 2:44 PM

Dissappointed with the unusually low quality of comments from some people here. :/

The issue here is unequivocally a combination of Netflix (for not validating accounts before accepting card details) and user error* (for following an email link when money is involved).
*(And specifically error, not fault because too many websites train people to be unknowingly insecure.)

Google’s approach to dots is not relevant – it might make it slightly easier, but the same technique can still be used without it.

To extend on Jordan’s latest comment, you can have any printable ASCII character in the first half of an email address.

“@.@”@dotquote.at

Yep, that’s a standards-compliant address. Never gotten around to testing how many mail servers support it; it’ll certainly be rejected by a lot of webapps…

Gweihir • April 9, 2018 2:57 PM

One more reason why I run my own mail server. No need to put up with stupidity like this.

Bobby • April 9, 2018 3:07 PM

Based on some limited personal experience (BSD-type e-mail server with postfix, dovecot, LDAP, etc.), this actually seems perfectly natural and easy to me.

A user account can have aliases. All of those aliases map to the same UID. All of those aliases also act as valid e-mail address. When the e-mail server asks “who does john.smith belong to,” the answer is “UID 6476, mail folder /some/path/or/another.” When it asks “who does johnsmith belong to?” the answer is also “UID 6476, mail folder /some/path/or/another”

I don’t know what Gmail runs on today, or what it ran on back in the day. But in some setups, this seems like a pretty quick and easy way to avoid “duplicate” accounts. If someone signs up for donald.trump@gmail.com, should anyone be allowed to sign up for donaldtrump@gmail.com afterward?

The better user experience seems to be “say no and reduce the chance that e-mail goes to the wrong person.” I fully agree with Google’s effort to avoid “duplicate” e-mail addresses, and I’m sure it’s saved them a ton of support work. Probably also improved user satisfaction overall. Instead of a forever-ongoing issue of getting the wrong person’s e-mail, or not getting yours, people get a one-time disappointment of needing to pick a different address when signing up.

So when an account is created, the server could just automatically add all the dot-variants as aliases and call it a day. No extra logic or complicated mapping system to see whether a new account can be created, or is forbidden because it’s “too similar” to an existing one. The account either exists or it doesn’t. The amount of custom coding required to accomplish this is extremely minimal, compared to some alternatives.

But as a side effect of avoiding duplicate accounts, all those dot-variants now automatically become e-mail aliases. Not because e-mail aliases were the intended feature, but as a “bonus feature.”

That’s all just theory. I can only speculate about Google and Gmail in particular, but I know there are e-mail server setups where exactly this scenario could play out. Maybe that’s what happened here, maybe it’s not.

@Mervyn Bickerdyke, dosentmatter, Chris

I make extensive use of the dotted names. Mostly because I’ve found the plus sign feature to be useless. Usually the e-mail address is forbidden because it has a + in it and some misguided person thought those were invalid. The few times it has been accepted, whatever poorly-made system they fed it into seemed to fall apart at the seams.

If people want to make noise about not following RFC standards, how about the vast majority of the Internet that seems allergic to perfectly-legitimate plus signs in e-mail addresses?

As it stands, the dotted name variants allow me to more easily keep things out of my SPAM folder. And also to blackhole a variant I need to throw away because it’s been misused, sold, breached, etc. I’d love to use the + variants, but I’ve never had success with them.

Regardless, for the purpose of the security hole here, the dot-variations and the plus-extensions are equally problematic. They’re both technically different e-mail addresses, which Netflix will treat as different accounts, and which Gmail will deliver to the same individual.

@Brian, Juergen, dosentmatter, Marc

If validation was required before entering a password for the account, that would be ideal. Implemented properly, that could ensure a third party has zero control over the account being created.

@Ryan and others get it right–it’s still suspicious and still avoidable. But despite that, it can work for all the same reasons phishing works.

Phishing uses e-mails forged to look authentic, to trick a target into giving away information.

This uses e-mails that actually are authentic, to trick a person into giving away information.

So Netflix sends an ownership validation e-mail. Jim says “Why, yes, I do business with Netflix. Yes, I received this e-mail. Sure, I’ll click this link to let you know I received this e-mail.” And, viola, “validated.”

So the issue is less about if validation happens, and more about when.

@All

So let me ask: what if Jim had never signed up for Netflix? Someone could still sign up with his e-mail address, and they would still be “in control” because they know the password and Jim doesn’t.

Sure, it’s not as bad. Now Jim is probably wondering why the heck Netflix wants anything to do with him, when he’s never signed up at all. But maybe he thinks his spouse signed up using his account, and puts in the information all the same. Or maybe Jim is an octogenarian who’s afraid the computer police will come for him if he doesn’t do what these Netflix e-mails tell him to do.

These Gmail features are a problem, sure. It makes an existing issue worse. But in my opinion, the existing issue is just as worth fixing. And the solution seems to be that the one and only thing anyone can ever do with any account before validating the e-mail is…providing the e-mail. Nothing else. No password, no profile information, no payment information, etc.

So, yeah, I still gotta say the majority of fault lies on Netflix.

Marshall • April 9, 2018 3:19 PM

@Bobby:

The “alias mapping” idea is nice in general, but with your dot problem it would cause a huge combinatorial explosion, as there are a virtually infinite number of aliases for each account. JohnDoe@gmail.com and John……..Doe@gmail.com are both valid email addresses, as is J.o.h.n.D.o.e@gmail.com.

Most likely, Google stores the email address without dots and, whenever they encounter a username or email address containing dots, they simply strip them away. This does away with the need for aliases; periods are not allowed in the system and are simply stripped away. It’s possible they store a single one-time “display” alias, in the event that you find it visually appealing to use a period, but that’s probably just for display purposes, and I bet that under the hood there’s no periods at all.

neill • April 9, 2018 3:25 PM

all this confusion invites ‘social engineering’

let’s say y’all know about it, but then evil creates “john.doe@xyz.com” on a server that DOES honor the difference, and tricks others into believing it’s “johndoe@xyz.com”‘s email address

how would any “normal”, “non-technical” user know if there’s a difference or not?

there’s gotta be a clear rule for ALL servers, and users

Czerno • April 9, 2018 3:45 PM

This is clearly Google’s fault, no doubt IMHO. For one simple reason :
aliasing mailbox names, by ignoring embedded dots, contravenes the net mail RFCs (821 & successors, iirc) in spirit and letter. Google created this problem, and many others, out of sheer arrogance (I think it was more arrogance than ignorance, I’ll give their teams the credit for including very savvy and talented folk).

Tony H. • April 9, 2018 3:56 PM

If I had to vote, I’d say Netflix is at fault. Not for not knowing all about Gmail’s treatment of dots in email addresses, but for using an email address as a userid. Unfortunately they’re like much of the world these days – web sites used to have you choose a userid and a password, and then you’d give them an email address for (duh) emails. Now it’s almost always the case that “your email is your userid”, and that, IMHO is the root problem here. There is no generally valid one-to-one mapping of email addresses to userids, nor should there be.

Others have mentioned the “plus convention”, and that’s another thing that was useful once upon a time. But these days every web site uses one of a dozen or so bogus client-side Javascript syntax checkers that reject just about all local-part email characters beyond letters and numbers and if you’re lucky, a dot. I’ve tried complaining when I’m in the mood, and it rarely goes well. I try to make the analogy with phone numbers – would a web programmer get away with arbitrarily rejecting numbers that don’t meet some bogus criteria, say, more than two identical digits in a row? Turns out that some sites actually do incorrectly syntax check phone numbers! Sometimes you can fiddle with the client-side code to avoid their syntax checking, but increasingly many sites have server-side code to double check. If you can actually get a real person to talk to, the best argument against the “our web site is correct so you’ll have to use a different email address” is to send them an email from your address that they are rejecting. All mainstream mail clients actually do quite well – Gmail and even corporate stuff like Outlook or Notes will let you send email to e.g. Bob&Carol+Ted&Alice@example.com but 90+% of web front ends out there won’t take it.

Security Sam • April 9, 2018 4:20 PM

@Mervyn Bickerdyke

It appears that I spoke too soon
I read the rules under the moon
Instead of amidst the high noon
Parsing through with a harpoon.

echo • April 9, 2018 4:52 PM

This kind of thing is a failure of standards and reeks of bureaucratic failure. I agree this is Google’s arrogance (not just ignorance) and has a buckpassing quality with end users picking up the costs of their mistakes. It may seem small on the surface but taken in aggragate the costs could inflate very heavily. Usually nothing is done until somebody dies then it’s the old launch an enquiry, lessons must be learned, never again response until next time.

If nobody in the hierarchy is ultimately responsible I propose we form a committee to appoint members then schedule a meeting in six months time to determine the remit of the committee. After appointment of staff and aquiring new headquarters schedule a meeting after another six months to define the parameters of an investigation…

In ten years after Email 2.0 is successfully launched we can pass a law outlawing the, now, deprecated and irrelevant practices.

Bobby • April 9, 2018 5:04 PM

I should add that I’m generally in favor of the warning proposed in the friendly article. The majority of Gmail users don’t know these features exist. The warning can do no harm that I can think of, and may do some good.

@Marshall

You’re absolutely correct. I didn’t think it would be an issue based on average account name lengths, but it would be better to consider the worst case here. Good call.

@Czerno

I question whether they created a problem versus making one worse. For example, DDoS attacks have long existed, but various amplifiers make it so much worse. I think this is sort of like that. Except stopping DDoS is effectively impossible, whereas Netflix could actually close the core security hole.

The idea of an attacker giving a victim “complete” control over the account, but somehow taking it back, sounds like the coin-on-a-string trick seen in old cartoons. That seems more ridiculous to me than the Gmail stuff, but that’s just personal taste.

The problem exits with or without these Gmail features, but those features make this attack more lucrative on average. It’s easier to identify targets, those targets are more likely to respond, and it enables a set of targets that would otherwise be impossible to get at.

Now, maybe the core issue isn’t big enough to worry about. (Obligatory XCKD: #1957). The Gmail thing makes it worse. Maybe even worse enough to do something about it. Or maybe Netflix’s issues were always worth worrying about, even without the Gmail “amplification.”

If Gmail didn’t have these features, the Netflix hole remains. If Netflix closes the hole, it doesn’t matter if Gmail has these features.

Henning Schulzrinne • April 9, 2018 5:52 PM

Besides dots and capitalization (in many cases, ALICE@example.com and alice@example.com are the same person), domains routinely have multiple ways to reach people. For example, at my employer, xyz10@ (some unique identifier), first.last@ and xyz@department.institution all reach the same email account, in addition to the + notation. All of these are easily discoverable and guessable. I suspect that this trick would work with most institutions that run sendmail or provide alias email addresses. Thus, having Google “fix” this does approximately nothing. Given that this particular trick doesn’t need lots of email addresses to work, finding other domains will allow the same scam even if Google were to disallow dots and + signs.

More and more, companies seem to require clicking on a “confirm email account” link, so maybe there’s some awareness that this, and email address typos, could be a problem. Maybe this should be required before allowing any account updates.

Netflix has no way of discovering which email aliases are really the same person, so I doubt they can do anything besides new account confirmation.

Thunderbird • April 9, 2018 5:55 PM

I agree that the clear and obvious error here is Netflix’s sending a no-authentication-required URL along with their email.

But, look how incentive and cost line up for them: if they require a login, they might lose a customer; if they don’t require a login, they might have to refund later (but probably not because most people will give up before then).

It is always the case when features that weren’t designed with each other in mind are combined, amusing security holes appear. And the internet is basically a giant machine for combining EVERYONE’S features, whether they want that or not…

Steve • April 9, 2018 5:56 PM

Seems like an awful lot of effort just to watch a bunch of rotten movies.

But maybe that’s just me.

Alyer Babtu • April 9, 2018 6:12 PM

Just always use for your accounts randomly selected 16 character names, it will be millenia before they find and spoof you.

Jeremy • April 9, 2018 6:46 PM

Gmail could perhaps do more to notify users of the aliases they are automatically creating for them and give them an option to turn it off, but this attack doesn’t require an email service that ignores dots; that just makes it easier to find potential victims. (And NO, setting up automatic forwarding from one email address to another does NOT violate some big important net standard. That’s ridiculous.)

It seems to me that the primary fault lies with Netflix for allowing people to access an account using either a password OR an email instead of making at least one of those mandatory.

When the victim enters their credit card info, Netflix assumes they control the account because they received the email (even though they didn’t enter a password).

When the attacker reasserts control of the account after the credit card has been entered, Netflix assumes they control the account because they knew the password (even though they didn’t demonstrate control of the email account).

By creating two separate credentials that are each independently strong enough to access the account, Netflix allows the attacker to split control between themselves and the victim, which is the root of the attack.

-=-

Several posters have suggested that it is in Netflix’s economic interests to not require entering a password even if it makes them less secure. That may be true. Lots of potential security measures are not worth taking because of the inconveniences they would cause; maybe the additional security here is not worth the inconvenience.

But that doesn’t change the fact that Netflix is the one with the security hole. And under this theory, they are also the one who is profiting from not fixing it. So this definitely falls on them.

Not Peta • April 9, 2018 7:33 PM

Seems easy to stop using gmail.

There are many reasons, this is just 1 more.

Fermi's Deceased Feline • April 9, 2018 7:50 PM

If James Fisher had to use password recovery to get into the account to set up the payment…how would “Eve” be able to get back into the account afterwards? Any attempt to reset the password would just send a message to…James Fisher.

Hmm • April 9, 2018 8:52 PM

@Moderator

The above belongs in the friday squid, if you might be so kind. I blew it.

Multiple tabs are my Barbarossa.

dulaku • April 9, 2018 10:12 PM

@Fermi’s Deceased Feline

Assuming Netflix doesn’t revoke sessions whenever a password change happens, all Eve needs to do is never clear their cookies.

D-503 • April 10, 2018 12:24 AM

@Erik @Martin
That makes at least three of us!
@Zé
Sounds like a similar situation to me and the German in question.
@Bobby
“Instead of a forever-ongoing issue of getting the wrong person’s e-mail, or not getting yours”
But that’s exactly what’s happening to me and the identically-named German due to Google’s dot bug. Some of the emails I’ve been receiving that are intended for him are highly sensitive. I complained about it to Google several years ago, and they replied with a boilerplate “don’t worry about it” message.

Adi • April 10, 2018 2:18 AM

@Mervyn
quote: GSuite charges you per registered user/email and may have an intrest to not allow tricks to create multiple emails per mailbox…. /quote

on the contrary, G Suite allows you to configure one of the hosted domain accounts as catch-all( *@example.com ). Such accounts are allowed as a delivery method when an email address does not map to a standard account. You can have both standard accounts and a catch-all account on the same domain.

RFC 5321 section 2.3.11. allows such usage of catch-all email mailboxes with wildcards and they are VERY useful when used as receive-only addresses for antispam usage and as indicators of compromise in case of data leaks in 3rd party databases.

I use such a catch-all configuration with receive-only addresses tailored to whatever service that asks them and i can make them up on the spot, e.g. [site-name]-[keyword1]-[YYYYMMDD]-[keyword2] @ mydomain), for almost anything that asks me for an email address.
This way i can even use a pen on a paper form and make up an unique email address on the spot, JUST for filling on that form.
If that address starts to receive unsolicited mail from anywhere else except the site it was designed for then that means that they either sold my data to a 3rd party or they had a data leak and the EU GDPR is very unforgiving with such usage. Such a breach under the GDPR can result in fines of up to 4% of annual global turnover or €20 million (whichever is greater).

Gmail’s traditional plus-aliased addresses are not properly usable anymore because many sites do not allow “plus” characters in email addresses. Catch-all wildcard mailboxes are much more flexible for this but you need to have your own custom domain – they cannot be used with the general domains used by the public.

Adi • April 10, 2018 3:40 AM

P.S.
in addition to catch-all G Suite also allows you to manually define multiple static aliases for an account but the catch-all is more important i.m.h.o. because it allows infinite on-demand dynamic creation of addresses that are mapped to a single email account.

Bauke Jan Douma • April 10, 2018 4:33 AM

Said Google: Dot no Evil.

A Google User • April 10, 2018 7:47 AM

I see it as more of a problem if email providers allow someone else to register my email by just adding an extra dot
And Google does care about exactly how you registered your email address if you register as name.lastname then you have to include the dot to login which makes it even more secure if you put the dot somewhere random and email people with the dot in a different more logical place (so your login is obscured from the email that you send out)

And I don’t think the scenario works as described, the person with the email address (james) would get all the emails about the new Netflix account being created and can step in to remove the account, I’m not sure if Netflix requires a verification of the email but when the credit card is declined Netflix will certainly require james to login to the login with the dot so either eve knows james’s password (which would make the whole exercise moot) or when jameshfisher gets a “declined credidcard” notice he’ll notice his regular password doesn’t work and if that doesn’t alert him he will ask for a change the password which will not be sent to eve! so james will just activate a second account which only he has access to! It just doesn’t seem like a security risk at all and for many people removing this feature (and the + aliases) will mean a reduction in security and privacy.

A Google User • April 10, 2018 8:08 AM

And I’ve check with emails from my own Netflix account, links do not contain authentication information so I go to my own account or when opening the links in a private window I have to enter my login/pwd
A scam this is not.

Bobby • April 10, 2018 8:54 AM

@D-503

Absolutely. I also recall various comments about German duplicates. All of you are suffering the worst case scenario right now. (eg, forevermore, you and your German doppelganger may accidentally get each other’s e-mails.)

But I’m fortunate in that my account receives e-mail sent to gmail.com or googlemail.com, and from what I can tell nobody can sign up with dot variants of my account today.

So I believe is prevented now. But even if so, it clearly wasn’t always prevented. Sorry if I’ve implied otherwise.

@A Google User

I also thought that I needed to use the original account name to sign in, but I checked it yesterday to be sure. To my surprise, I was able to sign in with a few random dot-variants.

But you are correct about the Netflix authentication. The scenario in the original article is that the victim has to do a password reset before they can enter payment information.

One would think that cinches it. The victim now has the e-mail and the password, so the attacker presumably has nothing. But as @dulaku implies, there are at least three ways to have control over a Netflix account:

ol>

Know the password (you can sign in)

Control the e-mail (you can reset password to get #1)

Have an existing session (you can do anything)

This exploit as written would leverage all three. The attacker starts with all three, gives the victim #2, hopes the victim claims #1 on their own, then snatches it all back with #3 or some other capability.

If password changes invalidated existing sessions and required them to enter the new password to continue, that would take #3 away from the attacker before they can abuse it.

(Earlier, I’d also suggested that a new account could simply validate e-mail before a password is ever entered, preventing the attacker from ever having #1, #2, or #3. But I guess that wouldn’t help with changing the e-mail address on an existing account.)

@All

Does Netflix allow multiple e-mail addresses/passwords on one account? For example, mom, dad, and the kids have their own login info, but both mom and dad have full control over the account?

If so, that might be another way to exploit this. Add the victim to the account long enough to get payment information, then kick them out.

AlanS • April 10, 2018 9:59 AM

@D-503

I complained about it to Google several years ago, and they replied with a boilerplate “don’t worry about it” message.

Be assured that the Benefactor is working on a solution to restore happiness.

A Google User • April 10, 2018 10:04 AM

@Bobby

I tried it too and indeed the . does not matter for login either, doesn’t really bother me but good to know.

Here’s Google’s page on the .
https://support.google.com/mail/answer/7436150

On Netflix there’s only 1 email address, the different profiles are not really separate account, there’s no real security on them either anyone can switch to the other profile for kids profiles there are some options with age restrictions and pins to see certain content.

D-503 • April 10, 2018 10:34 AM

@Fermi’s Deceased Feline @Bobby etc
“If James Fisher had to use password recovery to get into the account to set up the payment..”
“The scenario in the original article is that the victim has to do a password reset before they can enter payment information.”
That’s the exact opposite of what James Fisher wrote. The Netflix website didn’t ask him for a password or any other authentication for the account page. A huge security fail, but as @Random1 and @Thunderbird pointed out, it makes business sense for Netflix: If Netflix gave users a moment to think about it, they’d realise that the local public library has a bigger selection of movies and shows, and they can save hundreds of dollars by ditching Netflix. By this reasoning, Netflix would lose half its customers if payment updates were to require authentication. Between cable TV[0] and the public library and youtube and vimeo and video games, Netflix has a lot of competition.
James Fisher only used password reset after he realised that the credit card number displayed on the account page was wrong. And he only used password reset to hack into Eve’s Netflix viewing history.
I think one reason why so many commenters here assume James Fisher used password recovery is the unspoken reasoning: “who[1] would be so irresponsible/unethical as to leave user account pages including payment information wide open on the internet?”
James Fisher:
“I clicked the link. It logged me in and took me to an “Update your credit or debit card” page[2], which is genuinely hosted on netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as **** 2745. A card number I don’t recognize.”

[0] In the city where I live the only home internet access is through cable TV companies, who bundle cable TV with internet service, and not coincidentally have successfully lobbied the feds to kill net neutrality.
[1] A too-big-to-fail corporation?
[2] Following up on @dulaku’s and @A Google User’s comments, I wonder if there’s something very weird going on with the way Netflix sets and uses cookies. But that would require two errors on James Fisher’s part, instead of merely error #2:
1) allowing cookies but failing to purge them between websites
2) clicking a link in an unsolicited email and trying to enter payment information there

rei • April 10, 2018 12:25 PM

Interesting to see this flagged as a vulnerability when I’ve used it as a “feature” for years allowing me to sign up under a “different” email address while having the email go to the same Gmail account. Essentially allowing me to sign up for multiple Netflix trials.

x2bike4u • April 10, 2018 1:06 PM

I have a gmail account in the form na.smith@gmail.com. I’ve had it for years and years. About two or so years ago I started getting emails for a person in Australia (I’m in the US). She is using nasmith@gmail.com.

I started replying to the senders saying I’m not that person and please tell her I am receiving her emails and that she isn’t receiving them, but I still receive her emails. I get day care invoices, travel itineraries, soccer schedules, birthday greetings, car maintenance reminders. Its amazing how well I know this person from these emails

DrYak • April 10, 2018 1:32 PM

@Erik:

Actually, up until 2012, gmail.de was an entirely different mail server in Germany not affiliated in any way to Google.

@googlemail.com or .de was the only correct server name for Gmail in Germany.

So : it might be a “w.essing@gmail.de” who used Giersch mail back in the days, but after Google managed to win the trademark dispute over “gmail”, you receive what is destined for this address, because “w.essing” maps to “wessing” for google, and “gmail.de” now maps back to “gmail.com” like any other “gmail.*” and Herr Essing never bothered to upgrade his e-mail on every last forum/webshop/etc. with whatever he uses nowadays after the fall of Giersch mail.

MarkY • April 10, 2018 2:09 PM

This is happening to me except the individual who has my email minus the dot is just another guy NOT trying to take advantage of anyone. I receive his receipts and invoices to a point that I actually received his phone number and yes, I did call!! He was just as shocked as I was. He gave me an alternate email to send his invoices to him that he never received. Here is the kicker…I tried to call Google, but never found a good number, so I emailed them. THREE MONTHS AGO!!! Still no reply about the issue. I still get the other guys email and I still forward his important stuff. I just wish Google would fix the issue. I have had this email for a couple of decades or so I think…long enough I don’t remember when it was. I do know Google wasn’t a verb yet. But, I do not want to go through the hassle of creating a new email. Anyone have any suggestions?

lazysusan • April 10, 2018 2:13 PM

As a matter of interest I have a protonmail account created with a dot in the email address, I always quote it with the dot and assumed it was required. I have just sent emails from another account to the version with the dot removed, a version with the original dot plus an extra one and a version with a + and appended text in the local part. All three arrived in my protonmail inbox. So definitely not just gmail.

Christopher • April 10, 2018 2:26 PM

I fail to see any security flaw on Google’s part, but I see multiple on Netflix (assuming the accusation is true):

1) Netflix allowed someone to sign up using this email and didn’t verify it, so they have been communicating information about the account to an email not controlled by the account owner (and bothering the email owner who had no contact with them)

2) Netflix allowed the email owner, and anyone who was on an unencrypted hop between Netflix and the email recipient, to access the account without a password.

3) Someone could create an account and phish an email recipient into updating credit card information on the wrong site.

I will note that none of these two problems would be solved if Google stopped allowing w.essing to also have wessing. What if neither wessing nor w.essing had an account? Netflix still blindly trusted that the person who entered w.essing@gmail.com on their website actually received email at w.essing@gmail.com. It’s not that hard to validate that the email entered on your website actually goes to your account holder, particularly when you’re going to ask for their credit card number. I get other people’s crap constantly and several companies (Uber and Paypal immediately come to mind) make it virtually impossible to shut the account down because even though they never validated the email when they created the account, they’ll try to validate that the email recipient really controls the account before they shut the account down.

Bobby • April 10, 2018 2:33 PM

@D-503

I see. Perhaps I misunderstood this part of the original article: “…I own james.hfisher@gmail.com, and so I can follow the password reset process for this account. I did so.”

I read the article as a common “here’s when I noticed something went wrong” kicker to grab attention, followed by “back up to the very beginning and tell the whole story chronologically.” So I assumed resetting the password happened early on, and the payment e-mail came later. In such a case, lack of authentication for the payment URL could simply be that the browser still remembered his previous Netflix session, in the rogue account.

Based on what you and others have said, anyone in the world can use one of these links to go to a malicious account’s payment page. Traditional phishing e-mails could send these links to anyone they wanted, no matter what e-mail provider they’re using.

They could even be sent to the exact e-mail address of an existing Netflix account. That’s arguably worse than what the Gmail aliases permit. The main deficiency is that the e-mails would have to be ordinary phishing e-mails, not genuine Netflix e-mails.

However, the links inside could still be genuine. Worse, the netflix-dot-com/YourAccountPayment page has absolutely no identifying information other than the existing payment details. A credit card name of “PAYMENT EXPIRED” could allay suspicions enough to get someone to enter in payment details on someone else’s account.

@DrYak

Thank you for that insight. That certainly jibes with all these mentions of German doppelgangers in these comments.

I’d be curious whether any of the people here with Gmail doppelgangers can sign in to their Gmail account with the “wrong” e-mail address.

If they can, perhaps the doppelganger account never existed and this is some kind of human error. Or, worse, the doppelganger’s account used to exist, but now it’s gone. And you’ve automatically/accidentally inherited someone else’s e-mail address in the process.

nonplussed • April 10, 2018 4:01 PM

Side Note: As a few others have alluded, the Gmail + feature is actually very useful.

Zorro • April 10, 2018 4:22 PM

Use Netflix free forever with Jim’s card

No, you contact Netflix and explain what happened and they fix it. If they don’t you dispute the credit card charges and Netflix rapidly changes their own procedures to avoid any more chargebacks. This sort of credit card fraud happens all the time. I saw a variant firsthand myself over a decade ago with SoE’s EverQuest. It’s just a new wrinkle on a very old crime.

Oh, and the dots or plus (e.m.a.i.l+foo@gmail) or whatever, that’s really useful to auto-file email into folders. I was getting swamped with junkmail from amazon, newegg, and so many others until I discovered that trick. Works really well with Thunderbird and IMAP over SSL!

Mervyn Bickerdyke • April 10, 2018 6:32 PM

@MarkY

This is happening to me except the individual who has my email minus the dot is just another guy NOT trying to take advantage of anyone. I receive his receipts and invoices to a point that I actually received his phone number and yes, I did call!! He was just as shocked as I was. He gave me an alternate email to send his invoices to him that he never received.

So.. to sort this out:

your email MINUS the dot is still your email
the email was sent to THAT address – YOUR address.
YOU received that email
The other guy did NOT receive it as it was sent to YOUR email

Here is the kicker…I tried to call Google, but never found a good number, so I emailed them. THREE MONTHS AGO!!! Still no reply about the issue.

WHY???

and

What issue?

Email sent to your email address ending up in your mailbox is NOT an issue at all! At least not on Google’s side.

The issue is the other people sending the other guys email to YOUR address instead of the other guys address.

And don’t let that other guy fool you into believing that that is his GMail address. Evidence A: YOU receive the email. He doesn’t.

Mervyn Bickerdyke • April 10, 2018 6:35 PM

@DrYak & Bobby

gmail.de is NOT mapped to any Google email domain. Any mail sent to that domain will cause an error message after 24 and 48 hours.

But it is possible that people who try to send to old gmail.de addresses receive that error message and simply retry with gmail.com

Otter • April 10, 2018 10:33 PM

James Fisher is the vulnerability here, assuming Bruce has quoted him accurately.

James Fisher says he is accustomed to giving his credit card information to almost anybody who asks for it. James Fisher says he pays his credit card invoices without checking the line items.

Any phisher knows there is a sucker born every minute, and most of them have email addresses and credit cards.

Of course, Fisher might be a Phisher, wondering whether anybody will notice.

CraigC • April 10, 2018 10:42 PM

How is everyone missing the flaw in this supposed vulnerability – in which there is none.

The guy who posted seemed to miss the fatal flaw in his logic, that in which HE HAD TO RESET THE PASSWORD BEFORE HE COULD LOGIN TO THE NETFLIX ACCOUNT!

He makes this very clear in his post:

“Eve has access to account N2 because she set its password when signing up, but I also have access to the account because I own james.hfisher@gmail.com, and so I can follow the password reset process for this account. I did so.”

Once the author reset the password, he immediately locked the other person out of the account – permanently. The other person no longer knows the current password, and cannot reset it because they don’t have access to the e-mail address that is registered to the account. He can’t change anything, because he can’t get back in.

Having said that, I’m sure there may be other sites where they may not require a login or a password reset when in all cases when they send a link – but that would always be a flaw in the security of the sending site.

It’s definitely good to be aware of the possibility that multiple accounts could possibly be created with one gmail address – but there is no way this introduces any vulnerabilities in and of itself.

Hmm • April 11, 2018 12:48 AM

This is all too cerebral.

Could someone please act out an Abbot and Costello routine for the laypeople?

DrYak • April 11, 2018 8:50 AM

@CraigC :

Once the author reset the password, he immediately locked the other person out of the account – permanently.

Actually, I’m not sure if changing the password will automatically kick out any currently logged-in session.

Eve cannot re-log with the new reset password.
But mayber Eve still controls any session that was already logged in at that point.

DrYak • April 11, 2018 8:55 AM

@CraigC :

Once the author reset the password, he immediately locked the other person out of the account – permanently.

Actually, I’m not sure if changing the password will automatically kick out any currently logged-in session.

Eve cannot re-log with the new reset password.
But mayber Eve still controls any session that was already logged in prior to that point.

hfox • April 11, 2018 9:56 AM

The ignoring of dots causes me no end of trouble as there seem to be multiple people who don’t actually know their own email addresses and instead think that it is mine but without the dot (always without the dot). I have gotten an amazing number of interesting things where it is obvious that the person actually typed in the address so I know it’s not a typo by a clerk at the mall.

justina.colmena • April 11, 2018 9:57 AM

Numerous DNS-based marketing blast headers such as SPF, DKIM, and DMARC, with their long sequences of random characters and pass/fail indicators are all but mandatory on email these days.

Some of them are digital signatures of sorts, and there is an algorithm for checking them against the mandatory DNS helper junk records, but at some point, too many blast headers are a positive indicator of spam, regardless of whether or not they match the junk records in the DNS.

https://www.therealconspiracyforum.com/index.php?/topic/2065-strange-message/&tab=comments#comment-14380

Ted Thibodeau Jr • April 11, 2018 7:55 PM

Bruce, you disappoint me. Your sloppy analysis here, where I know a fair bit, puts into question all your other analysis of things I know less well.

There is no question but that Netflix is at fault for (1) not verifying the email address in the first place, (2) sending a pre-authenticated account login link to an unverified recipient mailbox.

Either of these would address the issue, which is not specific to Gmail’s ignoring of dots in the local-part (which they are 100% entitled to do, according to RFC5322). Gmail is basically treating all dot-split variants of the non-dot-split variant as aliases of one mailbox (which we might as well consider to be the non-dot-split, but could be any dot-split variant). That’s perfectly legit.

It’s no less legit, even if its not to James H Fisher’s personal taste, than the + extension, which he does like.

Netflix has a definite vulnerability here, as does any other service which blindly accepts email addresses without verifying that they reach the intended recipient/account-creator/account-holder.

Netflix compounds that by then dispatching a pre-authenticated account access link that requires no validation of the recipient.

Gmail has no fault, no fail, no vulnerability, not even by contamination/combination with the Netflix issues.

plus sign • April 11, 2018 9:13 PM

The trick is to use the gmail + sign after the email so first.lastname+some random guid@gmail.com defeats any attempt as I know my netflix login guid is different than any other service.

Thomas • April 12, 2018 1:22 AM

The Gmail behavior is a major flaw in personal privacy, not an obscure one. My Gmail mailbox routinely receives email meant for multiple other people, all of whom appear to have @gmail.com email addresses that are identical to mine except for the dot. The amount of personal / private information that shows up is shocking – includes bills, hotel and airline bookings, photos, invitations to events, even scanned copies of passport, tax returns etc. I stopped using my Gmail account years ago for anything significant for this reason.

Mervyn Bickerdyke • April 12, 2018 3:54 AM

@Thomas:

Receiving an email that is SENT TO THAT ADDRESS is no personal privacy flaw. The problem is sending the email NOT to the intended recipient.

Sancho_P • April 12, 2018 7:41 AM

@Mervyn Bickerdyke

Not sure if I understood correctly?
So you say to mix people’s account content isn’t a personal privacy flaw?
I’m not talking about several addresses for one individual person / account,
here obviously the (OT) issue is confusing persons / accounts.

I don’t gmail, but don’t they require personal identifiers like phone numbers or so?

And not to investigate and clarify after a complaint is … Google.

Impossibly Stupid • April 12, 2018 9:22 AM

@Ted Thibodeau Jr

Gmail has no fault, no fail, no vulnerability, not even by contamination/combination with the Netflix issues.

While it’s nice to hear your Google check cleared, every security-minded professional who thinks for themselves will disagree with you. Google controlling your communications is not a good business practice. Google controlling such a large number of accounts creates a enormous attack surface. Google then combining so many account IDs by removing information is absolutely moronic.

Just read the comments here about people getting emails intended for other Gmail users. A large percentage of them are probably simple typing errors. Many of them would just have bounced if Google wasn’t stripping out periods (or doing who knows what else).

The overarching problem here is that Google seems to think it owns email now. And it’s being a dick about it. And that’s making it hard for other businesses to get work done in a reasonable fashion. Security complications like this one are just the tip of the iceberg.

Fermi's Deceased Feline • April 12, 2018 11:54 AM

@D-503
Thanks for clarifying, I get it now. Despite the point you raised about Netflix wanting the update process to be as seamless as possible, that’s a hard fail on their part.

Czerno • April 12, 2018 2:31 PM

Re; the Google (Gmail) flaw [I know zilch of Netflix], what several people ignore/ don’t know is that in effect there exist [b]homonymous[/b] mailboxes (mail user names if you want) belonging to [b]different[/b] people. The sad situation arose out of the way GMail treats embedded “dots” in GMail user handles, while creating new boxes and then during the box’s lifetime, the details of which were refined / changed, more or less silently, several times during the many months GMail stayed “beta”, but creating a conflicting names among existing/new users (i.e., identical when the dots are stripped off) for SOME (probably small? but non null number of) users, but the problem was hardly acknoledged and never addressed by Google, so it remains obscure to most (unaffected) users, and those affected were never notified – except people realising part of the mail received regularly in their mailboxes which is definitetely intended for some other person whose handle collides with their own.

This question was evoked a few times on the forums in the early months of GMail, but buried & never successfully addressed by Google (I think they could care less…)

Hope I’ll have made the point clear enough despite very limited English writing skills.

Peter Boughton • April 12, 2018 3:26 PM

Impossibly Stupid wrote:

Just read the comments here about people getting emails intended for other Gmail users.

As per https://support.google.com/mail/answer/7436150?hl=en
“Adding dots doesn’t change your address, so dots aren’t why you got someone else’s mail. Instead, the sender probably mistyped or forgot the correct address.”

> The overarching problem here is that Google seems to think it owns email now.

There are a huge number of problems with Google, but the way Gmail maps the local part of an email address to a user’s mailbox is not one of them. Their behaviour here is in compliance with the standards.

Having multiple aliases for a single mailbox is neither new nor unique to Google.

Czerno wrote:
“but there’s a bug with dots / behaviour changed” (paraphrased)

Prove it.

As per https://productforums.google.com/forum/#!topic/gmail/nWLQfavNdKs
“Gmail’s policy about dots in usernames was the same the first day the product launched as it is now.”

That’s a long thread where are a lot of people are claiming an issue exists.
Nobody has presented proof that distinct accounts were created and merged.
Nor is there evidence that creating an account to takeover someone else’s is possible.
Nor are there complaints from people who’s account was “lost” – only from people who are getting “other people’s mail” and leap to the conclusion that it’s due to dots.

All of that points to incorrectly addressed messages, not a Gmail issue.

Again, I’m at the front of any queue to blame Google for their multitude of flaws and incompetence, but nobody has demonstrated any fault with them on this issue.

Czerno • April 12, 2018 4:06 PM

@Peter Boughton :
(changed behaviour @GMail, Google’s denial) : they may be not genuine/ insincere, or the Google person who made the soothing statement didn’t know what s/he was talking – too much of a stretch ?. I had several GMail accounts very early in the beta, and I do remember there were changes in how the dots were processed, at least one of which had the /obvious/ consequence of, potentially, allowing the creation of colliding boxes (voluntary, or unwittingly). The only question then was, would Google do something to remedy, at least warn affected users (if any). Most probably they did not, under the pretext it was “GMail Beta” after all :=)

“Prove it.”
I’ll make this very short – I can’t prove nor disprove a thing. There is no appearance /I/ was one of the affected. Twas many years back, that ! Details might be unearthed by digging forum archives very hard, assuming they haven’t been purged. But, who cares ? I don’t use GMail for anything that really matters ;=) YMMV as they say…

TRX • April 12, 2018 4:46 PM

Problem B would be that Google allows creating more than one account pointing to the same mailbox without returning an error or retry message to the user.

Problem C would be that Google uses the gmail address as its service login and tracking token. So they’re either discriminating between b.schneier and bschneier at that level, or they’re conflating multiple users with the same accounts. I wonder if users of their online office suite have had any problems…

Peter Boughton • April 12, 2018 5:38 PM

> “Details might be unearthed by digging forum archives very hard, assuming they haven’t been purged.”

So Google are not only denying the issue they’re deleting all proof of it from the Internet? :/

It is FAR more likely that people are misunderstanding and/or misremembering but unable to accept their own fallibility.

It would be great to receive evidence that Google are actively covering up something like this, but none of the hundreds of reports actually have any. If anyone can show something remotely solid, please do – but I’m not holding my breath!

(Of course, this is all ignoring that the issue Bruce has blogged about is not about [mythical] shared/hijacked Gmail accounts, it’s about someone creating a Netflix account with an email address that doesn’t belong to them, and being able to generate payment-requesting-emails without first verifying the owner of the email is the person who signed up.)

Impossibly Stupid • April 12, 2018 8:37 PM

@Peter Boughton

Having multiple aliases for a single mailbox is neither new nor unique to Google.

You not only removed the context for my comments, but created a straw man, too. I never said the problem was the aliases themselves. I explicitly stated that the main problem is one provider having so many accounts that near-identical variations are more likely to be hits in the case of a typo, and that their discarding dots makes it many times worse. For example, someone with the account justinetaylor is now one typo away from justin.taylor, who is one from just.in.tailor. The more accounts there are, the worse it gets; discarding the dots essentially throws away bits that could have been used to further unique the account.

Doesn’t matter that the standards allow it. What matters is that Google is too big to be intentionally reducing their address space like that. Because users of other “too big” companies like Netflix are going to experience edge case vulnerabilities like this one. View it as a proof of concept; expect similar variants to make bigger headlines in the coming years if something isn’t done.

No only Sussex • April 12, 2018 10:02 PM

Why should Nelftix send a validating message ? The user creates an account (and password) and specifies an email address formatted string, for what, communications preference ? Not actually that needed. Tick the box that says no thanks, i’ll just check in from time to time to see if you have messages for me (there is such a box, isn’t there ?). If the email doesn’t exist at the time of account creation or is, or comes to be at some later date, in use by amother person, who cares beyond the nuisance level ?

The problem seems to arise because Nelftix sends sensitive, secret stuff of the user via email. That seems reckless in any context since email is so insecure.

So Nixfelt -1 point for reckless emailing.

On the principle accept generously, send strictly, Göödel dot-collapse feels a bit reckless, since a general purpose service should make more distinctions rather than fewer. Individual companies also collapse dot and case. However, this feels OK because the addresses are understood to represent specific persons and trivial variations should go to the same individual.

So Goöqle -1 point for violating sacred computing rubrics from ancient days.

Michael Warfield • April 13, 2018 10:33 AM

There are a number of conventions on the local part of an E-Mail address. I wrote code fixing the “%” hack for “smail v3” decades ago. That convention, a “%” represents an “@” in the local part and the local system then replaces the right most “%” with an “@” and resends. It’s “source routing” in E-Mail form. Sort of a back assward form of a “bang path” (UUCP ! notation). Back then Banyan Vines interpreted an “=” sign to be a space since they allowed spaces in their user names. None of these conventions are particularly used or supported any more. The RFC’s have generally pointedly stayed away from any edicts on the local part, other than some information RFC’s on extension.

Classically (and in RFC) address “extensions” have taken the form of “+” extensions (sendmail and postfix) or “-” (QMail). Because some IDIOT web sites do not allow “+” in an E-Mail address, some of us admins have resorted to the translational rules listed on the “plushaters” web site to make sendmail et al support both + – and . as an extension delimiter. My personal system supports all three delimiters very effectively and I use it for spam detection and avoidance. It’s also used in some anti-spam unique E-Mail address apps.

In an extension, if the local part does not completely match a valid user, the local part is scanned and the right most extension delimiter is used as a terminator and you recurse back to local matching. So foo+bar+now matches itself, but if not, matches foo+bar, but if not, matches foo and if not fails. That’s NOT the same case as “match.maker” matching “matchmaker” but I can see where this could be confusing in this case. I’ve not run into the case where the delimiter is simply ignored and collapsed as is described here.

IAC… RFC rules are pretty specific that the local part of an E-Mail address is up to the local systems to interpret. If two different systems interpret them differently, it’s not the receiver that’s to blame for being RFC compliant.

In my experience, there are a LOT of local receiving MTAs support E-Mail address extensions in some form or another. Far more support it than not, just to the preponderance of SendMail, Postfix, and other similar servers on *NIX servers (UNIX, Linux, BSD, et al).

Elisha Gnubby • April 15, 2018 4:51 PM

This isn’t a gmail problem. It’s a classic phishing problem. Netflix allows links in emails to auto-log you in to their site. Once they have made this security concession (in the name of reducing “friction” to commerce, I suppose), it doesn’t really matter what GMail does with email addresses since emails are trivial to forge so it would be possible to send a phishing mail containing the autologin URL, whether or not the dot feature exists.

The dot feature pulls traditional phishing down to the reach of technically unproficient teenagers, but this change seems significant only to a hysterical journalist, not to someone doing real threat modelling. Forging convincing html phishing mail is a low bar.

A solution is to somehow include logged-in user in the site’s cryptographic endpoint name, by which I mean the thing traditionally displayed in the URL bar after a green ‘https’ that the user theoretically checks before providing credit card info. Logging into someone else’s netflix account is analagous to i18n trickery and i vs l trickery in domain names: a super-encrypted connection to who-knows-where.

The user should get feedback that:

this is a site on which they’ve created an account earlier
they are logged in with the account they created earlier

The feedback feature I propose is a combination of https cues and automatic password storage. The automatic password storage needs to become like bookmarks or addressbooks, and to function as a trust cue.

U2F solves half of the problem with phishing by making it impossible to accidentally attest to having control over a proxy. Somehow including login identity in a web origin’s user-visible crypto identifier solves the other half. And this other half has needed better solving even before this news cycle.

Agreement between sites and gmail over the gmail dot feature doesn’t solve much of anything except improving third party sites’ ability to nail their customers to a single despammed Google Account. A good security framework would leave that “problem” intentionally unsolved.

Driveby Idealogue • April 15, 2018 7:53 PM

@Kai – “This is one of my main gripes with Google. They’re now big enough that they can do whatever they want and ignore the bits of published standards that they don’t like.”

Nah, what comes before the @ is literally the domain of the after-@ domain holder. If google was autostripping dots from destination addresses of messages sent by their users, then you’d have a point. But the whole point of decentralization is that what is in their domain is under their control, as it should be. They may also have a hardcoded policy precluding users from choosing the address “google.is.fn.evil.as.f@gmail.com”. That is and should be their right.

No only Surry • April 15, 2018 10:23 PM

Granted the RFCs and Gøødal’s compliance with them, there remains the question of whether the use made of the standards is proportionate to the declared intent of the service. The standards are not just a game of simon says rules, but were meant to serve communications good.

myPalabok • April 16, 2018 4:52 AM

no matter how advanced the field gets, there will always be stupid people entering information without thinking, clicking without thinking..

the solution is a fix for stupid people.

Roland Giersig • April 16, 2018 6:10 AM

As has been said above by some others:

Netflix uses an EXTERNAL ID (GMail-Address) entered by an UNAUTHENTICATED USER as a supposedly unique account id WITHOUT verifying it.

Netflix allows entering of sensitive credit card information WITHOUT authenticating the user first.

And still some people want to blame it on Google or don’t acknowledge that Netflix is at fault for crappy security.

Oh well…

David • April 16, 2018 1:58 PM

This seems clearly Netflix’s responsibility. Netflix should not depend on certain behavior of 3rd party entities for its security. What if the user entered vleemdo.blurque.blah@gleemglumglom.ru? How does Netflix know and trust what the email provider, gleemglumglom.ru does?

There are well-known methods Netflix can employ that significantly minimize this risk– without depending on whatever Google does.

Matthias • April 20, 2018 9:28 AM

I am disappointed that no one seems to take issue with the ability to change an account email without invalidating payment information. For me that is the primary issue with Netflix. Any action that can potentially transfer control of an account to someone else should invalidate payment information.

Sebastian • August 2, 2018 1:24 PM

Netflix security pattern is wrong. A plain link should not allow anyone to edit sensitive information. Any decent security pattern should involve another login step when entering a high sensitive information such as credit card.

This way, you should be alarmed by 2 things. First, an email saying that your credit card is ilegitimate or not valid anymore. Second and most important, the fact that you should log in into an account that you don’t have the correct password. After trying a bunch of times to login unsuccessfully, you should be alarmed by a third time that this is not your account. And, if you are stuborn and decided to reset your password, you will be in total control of another netflix account and scammers will not be able to login.

MikeB • October 11, 2019 4:09 PM

I was having the same issue of someone using my gmail address with a period thinking it was his. Got lots of very interesting web sign-ups (of the wrong kind).

I solved it by adding a rule to gmail. If the to address is to the address with the period, delete it.

They no longer show up, and neither can the “scam”.

-Mike

Steve Meredith • December 29, 2019 7:24 AM

I’m here to tell you that dots DO matter to original GMail accounts from 2004 when it was still a beta invite only. At that time I made an account with a dot in it. Years go by and no problems. Then suddenly (probably 2008 and on) I started to get namesakes email in my box. Yes, I am receiving, and there are at least another 5 who created an account on Gmail with my name but no dots, all their email in my inbox. No bull. If you want to experiment with this, contact me via the email address I left on this comment.

jsmith • November 21, 2020 8:31 PM

Kind of ashamed schneier.com shared this trash article. Judging from the comments of those who just agreed with the author or just took this to be true without looking into it, it seems like a lot of you guys didn’t actually read the article.. not only is the author fear-baiting with this whole “it’s a phishing scam” false narrative, but most of what they say is factually inaccurate, and the BIGGEST details from the beginning are themselves contradicted repeatedly throughout the story.

In the beginning: they just clicked a link in their gmail and it logged them into “their netflix account” to change their CC info at which point they noticed their account had the wrong CC #. that’s when they realized.. it was someone else’s account!

Halfway through: The author only mentions it once, VERY BRIEFLY (like half a sentence in the middle), but they do admit that the only way they were able to login to the scammer’s account was AFTER they purposefully completed a password reset process on the scammer’s email. So the entire premise of this story is bullshit. They try to sell you this fearful tale of clicking a single link and being perched to enter their CC # into someone else’s account. they themselves had to use the password reset feature on the dot-form of their email address, knowing it wasn’t their netflix account that they were resetting the password to. Unethical? yes. Illegal? maybe. they claim they “only noticed” it wasn’t their account due to the CC # not being their own, but there are lots of red flags about going through the password reset process of someone else’s account before you get to their CC #.

I could go on and on, line by line and pick apart everything wrong with this article but this alone should clue you in.

xcv • November 21, 2020 9:30 PM

@ jsmith • November 21, 2020 8:31 PM

Kind of ashamed schneier.com shared this trash article.

Are you new on the cell block? Schneier is security. The squid digs up all sorts of trash.

I could go on and on, line by line and pick apart everything wrong with this article but this alone should clue you in.

The details may not be 100% correct but

People are obviously being scammed.
There’s a news article on how it’s being done.
There are other experts here who lurk, and may or may not disclose their true intentions.

Obscure E-Mail Vulnerability

Comments

Leave a comment Cancel reply