https://d5nxst8fruw4z.cloudfront.net/atrk.gif?account=pUuXo1IWhd10Ug
logo
Got a Gmail account? Read this:
April 10, 2018 | 3:22 PM
by Times News Service
Photo used for illustrative purpose
 
Sharelines

Muscat: A feature of all Gmail accounts could lead to scammers watching Netflix for free while you pay.

The glitch has sent shockwaves through the internet after it was uncovered by an online blogger. Gmail does not recognise dots in email addresses, a dotted email and one without dots are considered to be the same. Google once explained the unique feature by saying, "For example, if your email is [email protected], you own all dotted versions of your address.”

However, other sites and services, such as Netflix, do recognise dots in email addresses, and would consider an account registered to [email protected] and an account registered to [email protected] to be completely separate. This creates a potential security threat for users.

As reported on his official blog, a developer named James Fisher was nearly tricked into adding his card details to someone else's Netflix account as a result of the quirk.



According to his post, he received a legitimate email from Netflix earlier this year telling him his account was on hold and advising him to update his payment details.

It was then that he realised the card number associated with the account was not his. “Odd, I thought," he wrote. "The email is genuinely from netflix.com, so I clicked the link. It logged me in and took me to an “Update your credit or debit card” page, which is genuinely hosted on netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as **** 2745. A card number I don’t recognise. Checking my records, I’ve never seen this card number. What’s going on? I finally realised that this email is to [email protected] I normally use [email protected], with no dots. You might think this email should have bounced, but instead it reached my inbox, because ‘dots don’t matter in Gmail addresses’.”

The [email protected] Netflix account had been created in September 2017, while Fisher's own was registered in 2013. Because

Netflix does not require email verification when new accounts register, you can start using the service immediately.

Fisher believes it leaves users vulnerable to scammers.

"To exploit the confusion around it, all they’d need to do is find a

Gmail address that’s already registered on Netflix, create a Netflix account using that email address, only with dots added in, sign up for a free trial using a “throwaway” card number, then cancel the card."

In response, Netflix would email the real Gmail account user, asking for their payment details. Unless they were really alert, they’d then unwittingly add their payment information to the scammer’s Netflix account.

“The Gmail team should combat this kind of phishing. They should officially acknowledge that dots-don’t-matter is a misfeature,” Fisher added.



STAY UPDATED
Subscribe to our newsletter and be the first to know all the latest news