Keeping clients' computers safe and profitable for over 30 years
|
|
Home
Forms
About
Current Newsletter
subscribe
Search All Articles
Browse by Category
|
|
Obscure E-Mail Vulnerability with Netflix and Google
This vulnerability stems from an interaction between two different ways of treating e-mail addresses. Gmail ignores dots in addresses, so steve.victim@gmail.com is the same as stevevictim@gmail.com is the same as s.t.e.v.e.v.i.c.t.i.m@gmail.com. Netflix doesn't ignore dots, so those are all unique e-mail addresses and can each be used to register an account.
Here is how this peculiarity is exploited.
- Keep entering Gmail address names into the Netflix sign up form until you discover one that responds that the name is in use.
- Create a Netflix account with that name using a period as: steve.victim.
- Sign up for the free trial with a throwaway card number.
- After Netflix applies the "active card check", cancel the card.
- Wait for Netflix to bill the canceled card. Then Netflix emails steve.victim@gmail.com and asks him to update his payment details. It addresses the e-mail to Steve. It is from Netflix.
- Sometimes the victim sees the card problem and enters a legitimate card number. After all, he has a Netflix account and might not pay a lot of attention to the details of the refused card or dot in the name.
- Change the e-mail for the Netflix account to miscreant@gmail.com (or some other phony name). Now no new notices will be sent to steve.victim.
- Use Netflix free until Steve Victim figures it out and straightens things out with Netflix.
Further readinghttps://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user.html
Date: June 2018
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
|
|
|
|