Gmail ‘dots don’t matter’ feature exposes Netflix users to phishing attacks

If your Netflix account is registered with a Gmail address, beware of any emails from Netflix asking you to renew your payment info. This, according to a developer who came within inches of paying someone else’s Netflix bill with his credit card number.

James Fisher signed up for Netflix in 2013 using [email protected], an email address that Google considers the same as [email protected] because of the infamous “dots don’t matter” feature that Google insists is a good thing for users.

A person with a similar name in a different state had used this email address to sign up for Netflix. When something went wrong with the billing, Netflix emailed the real Fisher, asking him to renew his credit card details, not knowing that someone else was behind the dotted version of the address.

As Fisher recalls, he was seconds away from renewing his credit card number – essentially supplying a valid payment for someone else’s Netflix service – when he noticed that something was amiss.

“The email is genuinely from netflix.com, so I clicked the link,” Fisher writes. “It logged me in and took me to an “Update your credit or debit card” page, which is genuinely hosted on netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as **** 2745. A card number I don’t recognize. Checking my records, I’ve never seen this card number. What’s going on?”

“I finally realized that this email is to [email protected] I normally use [email protected], with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don’t matter in Gmail addresses.”

He then demonstrates how a standard phishing scam could take advantage of this oversight between the two services. Indeed, it seems ridiculously easy to exploit and trick someone into paying for your Netflix membership.

Fisher condemns Google for keeping the “dots don’t matter” feature, even though the search giant itself once admitted that the feature could be “confusing” to users. He proposes amending the Gmail feature set but believes Google should retire the feature altogether.

Security heavyweight Bruce Schneier calls it “an example of two systems without a security vulnerability coming together to create a security vulnerability.” Indeed, neither service is to blame fully for this issue but, now that the word is out, maybe one of them will address it.

As a rule of thumb, be wary of any email asking you to renew billing information. This Gmail/Netflix mix-up is a perfect example of a phishing scam created out of thin air by exploiting legitimate functionality in disparate services. Always check that all personal information in the mail is legitimate, and never supply your credit/debit card details, or renew your password, before double checking that it is indeed necessary to make such changes.

Phishing remains one of the most popular attack vectors for bad actors, and the biggest threat to online services. Google itself conducted a study with the University of California, Berkeley revealing that phishing was the greatest threat to account-based online services in 2017.

Data compiled by experts in email analytics shows that 87.6% of root domains operated by top e-retailers in the US and EU are exposing their consumers to phishing scams.

Leave a Reply