Obscure E-Mail Vulnerability with Netflix and Google

This vulnerability stems from an interaction between two different ways of treating e-mail addresses. Gmail ignores dots in addresses, so steve.victim@gmail.com is the same as stevevictim@gmail.com is the same as s.t.e.v.e.v.i.c.t.i.m@gmail.com. Netflix doesn't ignore dots, so those are all unique e-mail addresses and can each be used to register an account.

Here is how this peculiarity is exploited.

Keep entering Gmail address names into the Netflix sign up form until you discover one that responds that the name is in use.
Create a Netflix account with that name using a period as: steve.victim.
Sign up for the free trial with a throwaway card number.
After Netflix applies the "active card check", cancel the card.
Wait for Netflix to bill the canceled card. Then Netflix emails steve.victim@gmail.com and asks him to update his payment details. It addresses the e-mail to Steve. It is from Netflix.
Sometimes the victim sees the card problem and enters a legitimate card number. After all, he has a Netflix account and might not pay a lot of attention to the details of the refused card or dot in the name.
Change the e-mail for the Netflix account to miscreant@gmail.com (or some other phony name). Now no new notices will be sent to steve.victim.
Use Netflix free until Steve Victim figures it out and straightens things out with Netflix.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		Obscure E-Mail Vulnerability with Netflix and Google This vulnerability stems from an interaction between two different ways of treating e-mail addresses. Gmail ignores dots in addresses, so steve.victim@gmail.com is the same as stevevictim@gmail.com is the same as s.t.e.v.e.v.i.c.t.i.m@gmail.com. Netflix doesn't ignore dots, so those are all unique e-mail addresses and can each be used to register an account. Here is how this peculiarity is exploited. Keep entering Gmail address names into the Netflix sign up form until you discover one that responds that the name is in use. Create a Netflix account with that name using a period as: steve.victim. Sign up for the free trial with a throwaway card number. After Netflix applies the "active card check", cancel the card. Wait for Netflix to bill the canceled card. Then Netflix emails steve.victim@gmail.com and asks him to update his payment details. It addresses the e-mail to Steve. It is from Netflix. Sometimes the victim sees the card problem and enters a legitimate card number. After all, he has a Netflix account and might not pay a lot of attention to the details of the refused card or dot in the name. Change the e-mail for the Netflix account to miscreant@gmail.com (or some other phony name). Now no new notices will be sent to steve.victim. Use Netflix free until Steve Victim figures it out and straightens things out with Netflix. Further reading https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user.html Date: June 2018 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk

Keeping clients' computers safe and profitable for over 30 years

Obscure E-Mail Vulnerability with Netflix and Google

Further reading