OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


Obscure E-Mail Vulnerability with Netflix and Google

This vulnerability stems from an interaction between two different ways of treating e-mail addresses. Gmail ignores dots in addresses, so steve.victim@gmail.com is the same as stevevictim@gmail.com is the same as s.t.e.v.e.v.i.c.t.i.m@gmail.com. Netflix doesn't ignore dots, so those are all unique e-mail addresses and can each be used to register an account.

Here is how this peculiarity is exploited.
  1. Keep entering Gmail address names into the Netflix sign up form until you discover one that responds that the name is in use.
  2. Create a Netflix account with that name using a period as: steve.victim.
  3. Sign up for the free trial with a throwaway card number.
  4. After Netflix applies the "active card check", cancel the card.
  5. Wait for Netflix to bill the canceled card. Then Netflix emails steve.victim@gmail.com and asks him to update his payment details. It addresses the e-mail to Steve. It is from Netflix.
  6. Sometimes the victim sees the card problem and enters a legitimate card number. After all, he has a Netflix account and might not pay a lot of attention to the details of the refused card or dot in the name.
  7. Change the e-mail for the Netflix account to miscreant@gmail.com (or some other phony name). Now no new notices will be sent to steve.victim.
  8. Use Netflix free until Steve Victim figures it out and straightens things out with Netflix.

Further reading


Date: June 2018

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster