{"id":21178,"date":"2018-04-09T15:12:32","date_gmt":"2018-04-09T19:12:32","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=21178"},"modified":"2018-04-09T15:12:32","modified_gmt":"2018-04-09T19:12:32","slug":"the-dots-do-matter","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/04\/09\/the-dots-do-matter\/","title":{"rendered":"The Dots Do Matter"},"content":{"rendered":"<p><a href=\"https:\/\/jameshfisher.com\/2018\/04\/07\/the-dots-do-matter-how-to-scam-a-gmail-user.html\">Jim Fisher<\/a>:<\/p>\n<blockquote cite=\"https:\/\/jameshfisher.com\/2018\/04\/07\/the-dots-do-matter-how-to-scam-a-gmail-user.html\"><p>I recently received an email from Netflix\nwhich nearly caused me to add my card details to someone else&rsquo;s Netflix account.\nHere I show that this is a new kind of phishing scam\nwhich is enabled by an obscure feature of Gmail called &ldquo;the dots don&rsquo;t matter&rdquo;.\nI then argue that the dots <em>do<\/em> matter,\nand that this Gmail feature is in fact a misfeature.\nFinally I&rsquo;ll suggest some ways the Gmail team can combat such scams in future.<\/p><p>[&#8230;]<\/p><p>I finally realized that this email is to <code>james.hfisher@gmail.com<\/code>.\nI normally use <code>jameshfisher@gmail.com<\/code>, with no dots.\nYou might think this email should have bounced,\nbut instead it reached my inbox,\nbecause <a href=\"https:\/\/support.google.com\/mail\/answer\/7436150?hl=en\">&ldquo;dots don&rsquo;t matter in Gmail addresses&rdquo;<\/a>:<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/www.schneier.com\/blog\/archives\/2018\/04\/obscure_e-mail_.html\">Bruce Schneier<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.schneier.com\/blog\/archives\/2018\/04\/obscure_e-mail_.html\"><p>James Fisher, who wrote the post, argues that it&rsquo;s Google&rsquo;s fault. Ignoring dots might give people an enormous number of different email addresses, but it&rsquo;s not a feature that people actually want. And as long as other sites don&rsquo;t follow Google&rsquo;s lead, these sorts of problems are possible.<\/p><p>I think the problem is more subtle. It&rsquo;s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we&rsquo;re going to see a lot more of these. And like this Google\/Netflix interaction, it&rsquo;s going to be hard to figure out who to blame and who -- if anyone -- has the responsibility of fixing it.<\/p><\/blockquote>\n\n<p>I see this as a Netflix bug. Shouldn&rsquo;t they have verified that the account owner actually has access to the entered e-mail address?<\/p>","protected":false},"excerpt":{"rendered":"<p>Jim Fisher: I recently received an email from Netflix which nearly caused me to add my card details to someone else&rsquo;s Netflix account. Here I show that this is a new kind of phishing scam which is enabled by an obscure feature of Gmail called &ldquo;the dots don&rsquo;t matter&rdquo;. I then argue that the dots [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2018-04-09T19:12:33Z","apple_news_api_id":"67fd6c9c-e230-4af9-a6d1-3d840a474bf9","apple_news_api_modified_at":"2018-04-09T19:12:34Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AZ_1snOIwSvmm0T2ECkdL-Q","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[],"tags":[150,433,227,1200],"class_list":["post-21178","post","type-post","status-publish","format-standard","hentry","tag-email","tag-gmail","tag-netflix","tag-phishing"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/21178","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=21178"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/21178\/revisions"}],"predecessor-version":[{"id":21179,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/21178\/revisions\/21179"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=21178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=21178"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=21178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}