GOOGLE’S GMAIL has a vulnerability that could open the door to phishing scams that attempt to trick Netflix users into paying for a scammer’s account.
That’s according to cybersecurity researcher James Fisher, who investigated an unusual email from Netflix asking him to update his payment details.
Fisher notes the vulnerability lies with “the dots don’t matter” feature in Gmail, whereby a user will receive emails to their Gmail address regardless of where dots are put into their name.
For example, a legit Gmail address of [email protected] will supposedly receive emails sent to [email protected] or [email protected] – we put this to the test and dots placed at random in out address name still got through to our Gmail account.
When Fisher got an email from Netflix to his Gmail account using the address [email protected] rather than his actual address of [email protected], he thought it was odd as he uses the latter address with Netflix.
Still, the email was from a legitimate Netflix address and linked back to Netflix’s website. But only when Fisher noticed that the expired card details he was to update didn’t match any card he owned, his suspicions were piqued.
He realised that the payment details update email was from a different Netflix account form his, but due to the way Gmail’s ‘dots don’t matter’ feature works, he still received the email.
Fishers theorised that scammers could spam a Netflix sign-up page until they find a Gmail address in use then creates a variant on it with a dot in the wrong place. Through the use of a sacrificial payment card, they could set up a new account then wait until Netflix actions an “active card check”.
From there, an email asking for updated details would be sent to a Netflix user’s legitimate Gmail address. If they don’t spot the odd dots in the email address or any fake payment details, they could assume that all is well and update their payment details with an active card.
Once done, the scammer could change the account’s email address in Netflix thereby preventing it from being access by their victim yet retain their payment details, thereby getting free Netflix.
“Where is the security flaw here? Some would say it’s Netflix’s fault; that Netflix should verify the email address on sign up. But using someone else’s address on signup only cedes control of the account to that person,” said Fisher.
“Others would say that Netflix should disallow the registration of [email protected], but this would force Netflix and every other website to have insider knowledge of Gmail’s canonicalization algorithm. Still, others would say that Netflix’s ‘update your payment details’ email should force a manual login, instead of using an authenticated link.
“Some blame lies with Netflix, but I believe the main problem lies with Gmail, and specifically Gmail’s ‘dots don’t matter’ feature.
“The scam fundamentally relies on the Gmail user responding to an email with the assumption that it was sent to their canonical address, and not to some other address from their infinite address set.”
We contacted Google for comment on the matter but so far all we know is that the search giant is looking into the matter.
Netflix is hardly a costly service for the number of films and TV shows it provides access to, so one could argue that the effort in getting free access to it is not worth the time. But hackers tend to enjoy cracking into things for the hell of it, and free Netflix is still a pretty nice incentive to get hacking. µ
Save this article