Monday, April 9, 2018

The Dots Do Matter

Jim Fisher:

I recently received an email from Netflix which nearly caused me to add my card details to someone else’s Netflix account. Here I show that this is a new kind of phishing scam which is enabled by an obscure feature of Gmail called “the dots don’t matter”. I then argue that the dots do matter, and that this Gmail feature is in fact a misfeature. Finally I’ll suggest some ways the Gmail team can combat such scams in future.

[…]

I finally realized that this email is to james.hfisher@gmail.com. I normally use jameshfisher@gmail.com, with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don’t matter in Gmail addresses”:

Bruce Schneier:

James Fisher, who wrote the post, argues that it’s Google’s fault. Ignoring dots might give people an enormous number of different email addresses, but it’s not a feature that people actually want. And as long as other sites don’t follow Google’s lead, these sorts of problems are possible.

I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who -- if anyone -- has the responsibility of fixing it.

I see this as a Netflix bug. Shouldn’t they have verified that the account owner actually has access to the entered e-mail address?

5 Comments RSS · Twitter

Adrian Bengtson

I actually like this feature from Gmail. I use it all the time to quickly create "aliases" (sort of) for testing (like setting upp multiple WordPress users). I also use it for tracking if sites are selling my adress by using something like myname.sitename@mydomain.com.

Don't even get me started on this one. There are way too many sites (I'm ESPECIALLY looking at you, PayPal) that let people set up accounts with some random email they decided to use. My address that's linked to my Comcast account has been used to set up a Paypal account and there's nothing I can do. Someone recently set up an eBay account (seeing a pattern here) and started bidding on things using my primary address. Fortunately they were too dumb to set up two-factor and I was able to change the password and close the account. This happens at least once a month for various services; my absolute favorite was the guy in Australia who opened an Ashley Madison account.

I love that one. Also, the + is even more interesting. Google ignores everything that comes after the plus sign, that is myname@gmail.com is same as myname+trash@gmail.com.

When the "dot" and the "plus" were introduced, they were viewed as ways to *increase* security and assist the user in filtering unwanted or suspicious emails. As gmail catered to more "less technical" users over the years, these ideas seem to have been forgotten.

Adrian Bengtson

Oh, I messed up my earlier comment, it was the plus sign I meant, not the dot, when I create aliases for testing etc. So my example would be myname+sitename@mydomain.com and nothing else.

Leave a Comment