Netflix users who signed up to the streaming service with a Gmail account are at risk from a new phishing scam, it has has been revealed.
The scam is made possible due a security flaw in Gmail related to its ‘dots don’t matter policy’
Gmail famously doesn’t recognise dots in email addresses. For example, it regards john.smith@gmail the same as john.smith@gmail or j.o.h.n.smith@gmail.
“If someone accidentally adds dots to your address when emailing you, you’ll still get that email. For example, if your email is email@example.com, you own all dotted versions of your address,” Google explains on its support forum.
However, most other sites, including Netflix do recognise dots in email addresses and as such would consider john.smith@gmail and johnsmith@gmail as two separate accounts.
And herein lies the problem.
According to the Register, the issue almost caused Netflix users James Fisher into paying for someone else’s account.
He said the issue almost resulted him entering his credit card details into an account belonging to another Netflix user.
James said he received a legitimate email from Netflix advising him to login to his account and update his payment details.
But at the last moment he noticed that the email address of the intended recipient was the same was the same as his apart from a dot.
“You might think this email should have bounced, but instead it reached my inbox, because ‘dots don’t matter in Gmail addresses,” James wrote on his blog.
Speaking to Newsweek, James said: “Consumers might be aware of the dangers of phishing, where an email looks like it’s from Netflix, but actually it’s from an attacker,” he told Newsweek.
“But there’s another—more subtle—form of phishing: where an email looks like it’s from your Netflix account, but actually it’s from an attacker’s Netflix account,” he said. “In my example, the attacker hopes to fool you into paying their Netflix bill, but the same scheme could be used to fool you into paying for more expensive services or handing out sensitive information.
“The attack is especially effective because it’s not enough for the consumer to check that an email’s sender is genuine. The consumer must also check that an email relates to their own genuine account, and not an attacker’s.”
“The Gmail team should combat this kind of phishing. They should officially acknowledge that dots-don’t-matter is a misfeature,” Fisher added.
“Each Google account should have one variant configured as its standard address; I would set firstname.lastname@example.org as standard, and maybe John would set email@example.com as standard. If an email is sent to a non-standard address, it should be shown with a warning.
“Finally, Gmail users should be able to opt out of dots-don’t-matter. I wish for any mail sent to firstname.lastname@example.org to bounce instead of reaching my inbox. The dots-don’t-matter feature should be disabled by default for any new Google accounts, and eventually retired.”
Both Google and Netflix have said they are aware of the issue and working on a fix.
Security expert Bruce Schneier said the issue was “an example of two systems without a security vulnerability coming together to create a security vulnerability.”