
The dots do matter: how to scam a Gmail user - jamesfisher
https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user
======
hn_throwaway_99
Totally disagree with the conclusion. This is Netflix's issue for not
validating the email account. Not sure if Uber has changed this since then,
but back in the day I used to get the full ride details and receipts from
someone else who mistyped their email.

If you are sending private transactional emails you need to verify accounts
first.

~~~
jamesfisher
I think these are orthogonal issues. The dots do matter, but Netflix should
also validate email addresses. However, I don't think it's as critical. Lack
of email validation means I receive someone else's ride details (I agree,
annoying), but dots-don't-matter means I might accidentally pay for that
person's rides.

~~~
codetrotter
Thinking about this a bit more, I believe that there is another problem with
how account creation is done.

In general we do it in two steps:

1\. User detail and password

2\. E-mail confirmation

Instead, if we did

1\. User details but NOT password

2\. E-mail confirmation and subsequently entering the password on the page
that was sent via e-mail.

Actually, I think the most optimal would be

1\. Enter e-mail address only

2\. E-mail confirmation and entering all details

This would simultaneously protect the person that initated account creation
and the owner of the e-mail address from one-another.

~~~
DougWebb
Typically when I implement user self-registration for my portal-website
clients, I use a variation of your third option:

1\. Enter email address and some out-of-band information that only an
existing-account-holder should know. Eg: a web portal for a utility company
could ask for the account number and amount due from a recent bill.

2\. Send confirmation email with a code/link.

3\. After user enters a valid code, continue registration by gathering
additional user details, password, and (usually) recovery Q&A.

The user account is not created until step 3; if they provide a fake email,
it's as if the registration attempt never occurred. Absolutely no access is
granted until after the final step.

The extra details in step #1 only works for website registration of a user
that has a pre-existing relationship with the company, of course. For a new
account, email address is all you should request at that point.

~~~
fyi1183
Please don't use recovery Q&A.

As a user, I cannot trust that a website gets the recovery flow right. Some
websites will allow you to bypass email and password if you know the answer to
the question. Because of that, I cannot put in the real answer, as that would
be a massive security risk.

So I usually put in some random garbage, which means it's essentially a second
password. Well, if I lost my first password, chances are good that I lost the
second password as well.

So please, don't do security questions. Just send a password reset link by
email.

If you're worried about stuff like payment info stored in the account, just
ask me to re-enter those details after I changed my password.

~~~
DougWebb
Fair points, and I'm not a fan of the recovery Q&A either. But here's the
process that I use:

1\. User must enter their email address, and I send them an email with a
recovery code.

2\. After they enter the code, validating control of the email address, I show
them the Question they chose and let them enter the answer.

3\. After they enter the correct answer, I force them to update their
password, and I send a confirmation email about the password update.

The emails all provide contact information and ask the user to get in touch if
they didn't initiate any of these actions.

You're right about the answer being essentially a second password, and I treat
it as such: only an encrypted hash is stored, type=password fields are used to
enter it.

One of my clients did request getting rid of the Q&A, which I was able to do
pretty easily because email verification step and reset code were already
implemented.

On a personal note, I _never_ use real answers for security questions. I use
randomly generated strings, just like my passwords. If I can choose my own
question I use a random string for that too.

------
Pxtl
I have multiple "e-mail doppelgangers" \- confused people who don't know their
own email address and so accidentally use my address when they register stuff.

One's in Chile. I have almost no knowledge of Spanish. The other is in
California.

Having experienced this:

Services need to email new email accounts they become aware of ASAP. They have
literally _zero_ UI available to me to notify them that this is an invalid
email address. The very first interaction when a user registers an account
with their email on the service needs to be "Welcome username to
MyCompany.com! If you didn't create an account with MyCompany, click here to
let us know and we'll remove the email address from this user's account!"

If Netflix does not do this, Netflix is doing it wrong. It also would solve
your security issue - by immediately notifying the address that a new account
has been created on them, it notifies the user to expect additional emails and
allows them to take action immediately.

This also prevents another problem: What happens if somebody has already
accidentally claimed my email address on a service I want to join? If you
don't provide a way in the emails to say "that's not me", then I have no way
to ever register for your service with my address.

~~~
dpwm
I actually have dots in my Netflix account email address _because_ somebody
who wasn't me had previously started to register for Netflix using my email
address.

I have had to do this with some other services as well. Some services won't
allow the + in gmail addresses, which is pretty annoying.

If a service starts recognising the dots don't matter and denying the plus
symbol, there's a good chance I won't be able to register without obtaining a
new email address.

I wouldn't mind but my name is really not that common -- my surname is
uncommon enough for me not to have met another with that surname outside my
family.

~~~
nebulous1
Why can't you claim the original accounts?

~~~
dpwm
The thought did cross my mind. But there's something that feels weird about
claiming an account that I never set up, especially where it's not clear if
the service allows payment or usage with an unverified email address.

I personally don't believe the penalty for putting my email address in instead
of yours (which could be very close) should be complete account hijack.
Instead, I usually just filter the messages to trash.

I would much prefer to be able to click a link saying "I didn't expect this
email." Very few services actually do this.

There will be some people who read the OP and see treating dots in email
addresses where dots don't matter as another thing on their todo list for a
signup form.

A more considered approach would be to think about how you handle emails. A
lot of the time the email is the most important thing -- access to the email
address is often the only credential you need to get into the account, so you
want it to be correct before anybody spends time entering details.

You can make sure there are no mistakes by giving users a link to click within
a window of time (e.g. 7 days), before they can enter any data associated with
that account. Provide a link that says "nothing to do with me." Do not count
the account as real until the link has been visited.

In the case of the linked article, Netflix asking for billing information
before confirmation of email address is a clear example of a threat vector
that has far more to do with Netflix prematurely pestering for payment than it
does with Gmail aliasing email addresses.

------
thephyber
I don’t get the argument that the email dots stripping should be removed but
the “+” tag feature should be kept.

Both of them allow infinite email addresses. The tag feature is not always
available because app developers frequently don’t allow the plus character.

I would prefer that (1) a Netflix require email verification and (2) GMail
describe in detail all of the email address features so app developers can
explore the security issues around them.

I used to work for a company that dealt with these issues almost 10 years ago.
It was also fun when Hotmail and Yahoo started recycling unused email
addresses after ~6 months.

~~~
Santzes
My understanding is + sign is in the RFC, so of course it should be supported.
If you want to identify your users by email, you should probably strip the +
and everything after before checking for uniqueness. On the other hand, dots
matter in the RFC and Gmail is breaking it with their "feature".

edit: I was corrected in other comments that the + labeling is optional part
of the standard.

~~~
shkkmo
> I was corrected in other comments that the + labeling is optional part of
> the standard.

Allowing + in emails is not an optional part of the standard.

> you should probably strip the + and everything after before checking for
> uniqueness.

No, you shouldn't. Different email providers use different characters to allow
"subaddressing" or "tagging" and the presence of those characters doesn't mean
that any subaddressing will be done.

[https://en.wikipedia.org/wiki/Email_address#Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing)

------
Lazare
> The dots do matter: how to scam a Gmail user

The dots do not matter, this does not enable a scam, and 99% of people
replying to this seem to have utterly missed the point.

First off, let's be clear: The story is about someone who entered the _wrong_
email. They should have entered "eve@foo.com" but actually entered (or later
changed it to) "james@foo.com", which means that James got some emails from
Netflix about Eve's account, incorrectly assumed they were about _his_
account, reset the password on Eve's account, and came close to entering
payment information into it.

All of which is fine; this is how email works, and how modern services
(correctly) use email: By identifying an account with an email address, and
assuming that if you have control of the email address you should have control
of the associated accounts.

The author is weirdly focused on the fact that gmail allows some flexibility
in how the local part of the address is interpreted, but this is a feature of
most email providers (yahoo, outlook.com, protonmail, and fastmail all do it),
and is a feature offered by qmail, courier, and postix as well. It's also
explicitly required by the relevant RFCs. And...

...it's utterly unrelated to the issue at hand. This isn't _about_ how the
local part is interpreted; it's about someone typing the wrong address that
they don't control when they sign up for an account. Sub-addressing and the
details of how some random mail server normalises the local part is _not what
this is about_. If gmail bounces all emails with "incorrect" periods, it might
have stopped this particular incident, but it doesn't solve the issue which is
about people giving out your address instead of their own when creating an
account, which is the actual issue here.

Further, the proposed scam, if it works, only works because (allegedly)
Netflix lets you change an account email without verifying that you know the
current password. This violates every tenant of account security; because
email is used to prove you control an account (allowing, eg, password resets),
_changing_ the email obviously requires you to prove you control the account.
You have to ask for the password! I rather suspect Netflix does, but if not,
this is the core issue.

~~~
laughinghan
> the issue which is about people giving out your address instead of their own
> when creating an account, which is the actual issue here.

If the other person had tried to use the author's email address written
exactly the same as his existing Netflix account, Netflix wouldn't have let
the other person create a new account, but would instead have made them log
into the existing account. The fact that Netflix and Gmail don't have the same
notion of "existing account" IS the key issue here.

> the proposed scam, if it works, only works because (allegedly) Netflix lets
> you change an account email without verifying that you know the current
> password

Well, Eve knows the account's password at the time she changes the account
email, the article explicitly mentions this: "Eve has access to account N2
because she set its password when signing up".

But this does touch on an interesting point. If Netflix required him to enter
his password before he could update the credit card from Eve's to his own,
then to go through with it he'd have to reset the password, so even if he went
through with it and double-paid at least Eve wouldn't be able to reap the
benefit of a free Netflix account, which is at least a less severe security
issue than the current situation.

~~~
Lazare
> Well, Eve knows the account's password at the time she changes the account
> email, the article explicitly mentions this

Right, but read the rest of the sentence:

> I also have access to the account because I own james.hfisher@gmail.com, and
> so I can follow the password reset process for this account. I did so.

So at a minimum, Eve did not know the password at the time they would have
(hypothetically) tried to change the email, as James says he had reset the
password. And at least based on my interpretation of the linked article, this
is unavoidable; you can't manipulate payment details without being logged into
an account, and the only way to log into his bogus second account would be via
a password reset.

If that's true, your proposal is in fact the situation: You do have to reset
the password, and there's no benefit to the "scammer"; at most you can trick
someone into paying for two different Netflix accounts. And this does _seem_
to be true; he provides the link as
[https://www.netflix.com/simplemember/editcredit?locale=en-
GB](https://www.netflix.com/simplemember/editcredit?locale=en-GB) which
doesn't contain an account identifier and _does_ (of course) require
authentication.

> The fact that Netflix and Gmail don't have the same notion of "existing
> account" IS the key issue here.

Well, first it's worth noting that Gmail is following the relevant RFC here
(as per RFC 5321 2.3.11 Mailbox and Address, "...the local-part MUST be
interpreted and assigned semantics only by the host specified in the domain of
the address."), so if Netflix _is_ relying on the semantics of the local-part
then they're simply in error. And second even without this there's a lot of
ways of getting a plausible looking phishing email into someone's inbox. If
Netflix security relies on targets not seeing a malicious email, then they've
done something terrible.

------
jimwhite
100% disagree. My standard gmail address is with dots but when I have to tell
my (rather long because it is my full three part name) I either omit the dots
or tell them they don't matter. Totally an important and useful feature.
Netflix is at fault for letting someone else use your email without asking you
for permission.

~~~
earenndil
Why should netflix be required to adhere to the different ways that every
email provider doesn't adhere to the spec?

~~~
hexane360
Because it's Netflix not adhering to the spec, which states that local
addresses are to be interpreted by the host only. Netflix has no business
caring about how Gmail interprets its local parts.

~~~
shkkmo
Well, if Netflix striped the periods, THAT would be not adhering to the spec.
Netflix's issue is that they have a lax security practice, not that they don't
adhere to the spec.

------
sorahn
I really wish that I could tell google to bounce all the emails that don’t
match my “dot pattern”

I’m now in complete control of someone else’s commercial business hvac account
because of precisely this problem. And the worse part is that I don’t know the
correct email to get ahold of this person. They’ve set up library
appointments, I received a receipt for a down payment on a lake house,
basically most of this persons recent attempt to start a commercial business
has been emailed to me.

I don’t want this email google. Please give us the option to make it stop.

~~~
endorphone
_I 'm now in complete control of someone else’s commercial business hvac
account because of precisely this problem._

But that has absolutely nothing to do with the dots. Indeed, almost every
comment about this has nothing to do with the dots, including the submission.

Someone entered the _wrong_ email address, and in the process got yours. It
isn't like the dotted or undotted one is legitimately theirs -- it can't
possibly be -- but that they forgot a middle initial or something of the sort.

I've written about this before-

[https://dennisforbes.ca/index.php/2016/04/08/email-
addresses...](https://dennisforbes.ca/index.php/2016/04/08/email-addresses-
need-a-checksum/)

-but the issue is with email itself, and the notion that once someone enters an email address it is authoritative. Like you I get a tonne of email for other people. I get travel tickets. I get room reward points. I get calendar events for car service in England. The dots aren't the reason.

~~~
hv42
I strongly disagree with the author as well. Netflix is not doing its job.

But the scam described by the author works because he victim already has an
account registered with their Gmail address.

The warning could be a good idea

also I wish the email address of both the recipient and emitter were shown in
a better in Gmail.

~~~
shkkmo
The scam works because of Netflix's lax security practices around verifying
emails. Given how easy it is to make a mistake filling in your email address,
and email address should never be trusted until it is verified AND you should
make clear during your sign-up process that the user should expect a
verification email so they know something is wrong when they don't receive
one.

------
Buge
>Where is the security flaw here? Some would say it’s Netflix’s fault; that
Netflix should verify the email address on sign up, or that Netflix should
disallow the registration of james.hfisher@gmail.com when a Netflix account
already existed for jameshfisher@gmail.com. But such policies would not add
security, and would force Netflix and every other website to have insider
knowledge of Gmail’s canonicalization algorithm.

This is a bizarre quote. The fact that "Netflix should verify the email
address on sign up" would not "force Netflix and every other website to have
insider knowledge of Gmail’s canonicalization algorithm".

~~~
jamesfisher
I'm sorry, this sentence wasn't clear, and I agree with you. What I meant by
this was:

\- Some would say that Netflix should verify the email address on sign up, but
there's no obvious attack that this mitigates. Using someone else's address on
signup only cedes account control to them.

\- Others would say that Netflix should disallow the registration of
james.hfisher@gmail.com when a Netflix account already existed for
jameshfisher@gmail.com. But this would force Netflix and every other website
to have insider knowledge of Gmail’s canonicalization algorithm.

~~~
jsnell
At least three people have successfully created a Netflix account with my
gmail address, written in exactly the same way I would normally write it:
Jessica in 2012, John in 2013, and Jen in 2017. The first two somehow managed
to recover and change the email address, the last one never did. (So maybe
it's now finally blocked off from further registrations.)

If any of them had shared my name, the effect would have been just the same as
in your case despite there being no canonicalization issues. Likewise would
you really have been suspicious about seeing the notification come in for e.g.
jamesfisher+netflix@gmail.com? Who can remember exactly what services they
used a +something for?

No. This hole is totally on Netflix. It's a total shitshow, especially for a
company that loves to brag so much about how they only hire the best technical
people. No. Either they don't hire the best, or they let some kind of piece of
growth hackers actually run the show.

~~~
jjeaff
I feel like you are being a bit harsh. What is really the exposure in this
case?

I can't really imagine that there are that many blackhats trying to get free
Netflix accounts when torrents or Usenet gets you more content anyway.

And while yes, there is some friction getting torrents, it's not nearly as
much as trying to phish multiple people in hopes that they will pay for your
account.

~~~
jsnell
All kinds of other problems follow from not verifying the emails, for both the
person who owns the email account and the person owning the Netflix account.
In addition to this kind of targeted attack:

\- When these accounts were active, I'd keep getting email from Netflix that I
could not stop receiving.

\- In the first two cases, I could have done a password reset on the accounts
and just started using them. The original owner would have to continue paying
for it, since they'd have no way to disassociate the CC from the account.

\- In the third case the user didn't get the account back at all after
forgetting their password (maybe no recovery phone number?). They lost all
their viewing history and probably also ended up paying Netflix for service
they had no way of using.

From a technical perspective, this email handling is total garbage. The only
persons winning are on growth hacker scumbags who get to write slides every
quarter about how they lose no customers in the email verification part of the
signup funnel.

------
leoedin
Why doesn't Netflix require users to be logged in before they can change their
card details? That seems like the biggest security flaw, not the Gmail dot
alias.

(I'm guessing they did A/B testing and found that having to log into your
account lost them some percentage of people. If that's the case, Netflix are
clearly putting their retention rate ahead of security)

There's probably a not insignificant number of people who are happily using a
dotted variation of their gmail account. Putting a big warning above the email
wouldn't make them very happy.

~~~
scott00
They do. The author reset the password to gain access.

~~~
evjim
But then if the password is reset, the original scammer has no access to the
account! And the scammer cannot reset the password because they do not have
access to the email.

~~~
anchpop
This is true if changing the password s you to re-enter the password on every
device (even those that were logged in at the time)

~~~
shkkmo
Changing a password should always invalidate all existing sessions. If you
aren't doing that, then you are doing it wrong.

Edit: Or at least invalidate all sessions initiated using the old password if
you have that tracked.

~~~
will4274
> Changing a password should always invalidate all existing sessions

Doesn't with Google. They display a prompt and let you select which sessions
to expire.

------
melvinmt
> But firstly, no one wants this infinite set of email addresses. Gmail
> already provides this in the better form of plus labelling.

What is the difference between dots and pluses? They both have the same flaw:
to Netflix they will both be distinct addresses.

~~~
richrichardsson
Pluses are part of email standard, dots are some nonsense Google thought was a
good idea.

~~~
Buge
Plusses are an optional part of a standard[1]. The main email standard does
not require a+b@c.com to be treated the same as a@c.com [2].

[1] [https://tools.ietf.org/html/rfc5233](https://tools.ietf.org/html/rfc5233)

[2]
[https://tools.ietf.org/html/rfc5322#section-3.2.3](https://tools.ietf.org/html/rfc5322#section-3.2.3)

~~~
0x0
Another interesting part of dots in emails is that they apparently can't be at
the end of the username, EXCEPT if you also "quote" the entire username. So,
<a.b.@example.com> is probably invalid but <"a.b."@example.com> (including the
"quotes") is supposedly valid.

Had an acquaintance who was signed up to a popular email service with "a.b."
(their initials) for years until they changed their underlying platform, after
which they actually were very sorry to let him know that they could not
support his strange email address any more and terminated the account.

------
dr4g0n
I have a similar problem due to the whole "gmail.com" vs. "googlemail.com"
thing that came about in Europe in the earlier days of Gmail.

When I got my gmail account, Google gave me a "googlemail.com" address, due to
a pre-existing trademark in Europe. These days the "gmail.com" suffix works
for my account, but I've already set everything up with the "googlemail.com"
form and saw no reason to switch. Sometime in 2016, someone started using the
"gmail.com" version to sign up for stuff, and I repeatedly nearly fell for
this exact problem... It's made more difficult by the fact that Google clearly
_want_ me to use the "gmail.com" form, and refer to it by that address in many
places, despite me opting to use the long form in settings.

I don't think the person using my email address is being malicious, I think
it's by mistake, but I have no means to contact him to fix the problem.

------
leddt
I don't see the scam here. If you have to go through password reset to get
into the account and update the CC number, then the would be scammer does not
have access to that account anymore (assuming Netflix logs you out of other
devices when you change your password).

Sure, you end up paying for an account you don't use, but nobody gains from
that (other than netflix). It certainly is an issue that can easily be fixed
by netflix validating email addresses, but I don't see any incentive for
scammers abusing it.

~~~
ScottEvtuch
I was thinking the same thing. This isn't really a viable scam unless maybe
Netflix offers multiple ways to reset your password, which isn't addressed in
the article. Maybe a text message reset is possible?

------
JaggedJax
As someone who commonly has other people mistakenly use my email when signing
up for things, I 100% blame the service (Netflix) for this. This is only done
as a way for them to increase signups/revenue and the fact that so few
services require verification is why people don't realize they are using an
email that isn't theirs for years.

Getting rid of dots only solves one tiny portion of this problem which would
be completely solved if Netflix and others required verification. Gmail cannot
stop people from using my email address to sign up for things, but Nextlix et
al. can do that and protect their users privacy and personal info with one
single email.

A better example is that a few years ago Turbo Tax emailed me personal details
and gave me access to someone else's taxes because they didn't require
verification. That is insane (and I believe/hope was since fixed)!

------
gcb0
netflix security suck for not doing email confirmation and the ONLY email to
be sent to the updated address being a billing one.

and no, it should never "know about" the dot feature in gmail. that is working
as intended all around. it's simply that netflix put user bounce rate metric
in front of protecting users from scam. plain and simple.

~~~
aaossa
IMO It's not Netflix fault, actually emails with dots in different positions
should be different emails. Also, not sending a confirmation email is a common
pattern now. Maybe an email about "you created an account :D" should be enough
mitigation, but this is not their fault.

~~~
bad_user
> _actually emails with dots in different positions should be different
> emails_

Don’t know from where this is coming from but there’s no such _should be_
rule, there never was.

As a matter of fact an email server can have any aliasing setup it wants.
FastMail for example does sub-domain aliasing, which is awesome because I can
use an unique email address for any service I sign up to.

Any email server or service worth its salt allows aliases. Which aren’t hard
to guess for a determined attacker either.

Netflix has no excuse ;-)

~~~
Pxtl
subdomain aliasing sounds way better than + aliasing. Too many sites block +
aliasing.

~~~
gcb0
> Too many sites block + aliasing.

You actually mean: Too many sites were coded by incompetent people and have
broken input validation.

~~~
bad_user
Yes, unfortunately that's the truth.

For example: meetup.com

On an email with a plus in it, they complain with this exact error message:
"This isn't a valid email address".

I contacted their support a year ago. They replied that they've passed along
my "feedback". Nothing happened since then.

That said, plus aliasing is sort of a standard. And spammers could eliminate
anything after the plus, its usage being pretty obvious, so you can't rely on
it for tracing spam. Eliminating the aliasing is much trickier to do with sub-
domains, as it's not at all clear when aliasing is used or not. And some email
services support custom email routing based on your own regular expressions
(e.g. GSuite) so you can come up with your own weird scheme.

Plus aliasing is only fine when you don't have control for doing something
better, more opaque. Like when you have a work or a @gmail.com address.

------
martin-adams
A couple of things that I didn't quite follow.

1\. In order to provide the payment details, they had to do a password reset
to the dot-email address. I can only assume that locks out 'eve' in this case,
but I suspect it doesn't force a re-login on all devices.

2\. When 'eve' signed up to the dot-email address, surely Netflix would have
sent a welcome email thanking them for starting a trial. So in that case, I
can't see how it would have gone completely undetected up to this point.

I personally feel that Netflix should validate the email address on
registration. Otherwise people who genuinely sign up with a typo in their
address may lose access to it forever.

------
ada1981
I'm pretty sure Amazon allows unlimited accounts as long as you have different
passwords.

This is beyond bizarre. I have at least 2 accounts with the same email and the
way into it is by knowing what password leads to which one.

I have yet to see what happens if I try to set both accounts to the same
password.

~~~
r00fus
This is hard to believe. So you're saying that they hash/bcrypt (user+pass) to
determine uniqueness?

~~~
ada1981
I just took a screenshot of being logged into both accounts.

[https://imgur.com/a/jxmhI](https://imgur.com/a/jxmhI)

~~~
r00fus
How did you get the 2nd account in the first place? I'd like to reproduce
this.

~~~
ada1981
I guess I signed up for a new account with the same email and set a diff
password?

Pretty sure that is all it takes.

------
tejasmanohar
IMO, the _big_ takeaway here is that protecting yourself from phishing is not
just about making sure the email is from who it says it is but also making
sure it's actually serving the purpose you believe it is.

While I, like many in the comments, agree that Netflix needs to validate the
email account, my hunch is this trick would still be quite effective with
that.

------
msravi
Wait.. he logged in to the N2 account by going through the password reset
procedure, right? So now, the scamster loses access to the account, because
the password that she set is no longer valid.. So how does she get back access
to the account once he's changed the password and put in his credit card
details?

~~~
SoreGums
Exactly what I was thinking. As my next step would be to deactivate other
sessions. Then bam, no more access for this other person....

------
jameskilton
One interesting thing to note, for GSuite accounts, the dots _do_ matter.
first.last@company.com is not the same account as firstlast@company.com.

~~~
notpeter
This is true of gmail accounts as well. If you signed up with first.last you
always must login with first.last.

The real issue is that old account names are actually case sensitive too.
Starting a few years ago Google normalized all account creation to lowercase,
but existing case sensitive accounts remain. We implemented OAuth, normalizing
accounts to lowercase in our db and everything was fine for years until we ran
across a user who's account legit was FirstLast@ and would only auth that way.

~~~
w0rd-driven
My wife has found this is absolutely _not_ the case for gmail. She
consistently gets firstnamelastname emails instead of firstname.lastname which
is the one she signed up with.

To test a theory I told her to login as both using the same password. Both go
to her gmail account. Logging in without the dot shows the address as still
firstname.lastname.

My assumption at the time is during signup Google strips the dot and it's
merely there for cosmetic purposes. The RFCs should treat the dots as separate
accounts but Google does not.

Just to verify this is still happening, I also have a first.last account and
signed in without the dot. When I got into my account it says 'signed in as
first.last'.

This may affect accounts created up to a certain point in time though as both
accounts are almost as old as gmail. I got invited back during the early days
and invited my then girlfriend at the time (now my wife). If this has changed
over time it's become way more confusing.

~~~
astura
If what the GP said is true it sounds like nobody else signed up for the "non
dot version" before Google normalized accounts. Gmail would only treat the
accounts different if first.last and firstlast weren't the same people.

------
resonanttoe
Or you could make sure vendors follow RFC2822.

Now admittedly its dense to read, but the two sections that are relevant are;

[https://tools.ietf.org/html/rfc2822#section-3.2.4](https://tools.ietf.org/html/rfc2822#section-3.2.4)
&
[https://tools.ietf.org/html/rfc2822#section-3.4.1](https://tools.ietf.org/html/rfc2822#section-3.4.1)

3.2.4 explains what a dot-atom can be made up of 3.4.1 explains what can be
accepted in the make up of an address.

I'll always prefer vendors operating within spec even if the spec is a dense
as fuck.

~~~
jiveturkey
What’s your point? The vendor in question (gmail) is within spec.

------
fvargas
The article shines light on three separate failures on Netflix's part:

1\. Canonicalize email addresses

Whether or not dots or +asdf is considered okay, an email address used for
identification needs to be canonicalized in order to avoid duplicate sign-ups.

2\. Never leak information through sign-up forms

A login attempt either succeeds or fails. That is all the user should know.
Telling the user if the attempted email address exists or does not exist is a
privacy breach and a security breach as demonstrated in this article.

3\. Never assume ownership of an email address until it is verified

Some services verify email addresses at some point in the user flow, some
never verify, and few verify at the right point. The best sign-up flow I've
seen is Slack where setting a password is part of the email verification flow
and a user cannot set a password and _own_ the account until they have
verified the email address.

Thus, sending transactional emails beyond _verify your email_ or _reset your
password_ before the email address has been verified opens one up to security
breaches as in the case of Netflix.

~~~
paxys
Disagree with the first two.

1\. Netflix shouldn't have to care about the internal implementation of Gmail
addresses. It's perfectly fine to treat ab@service.com and a.b@service.com as
separate accounts.

2\. If you attempt to sign up for Netflix with an email address which already
exists in their system and they tell you that, it isn't a security or privacy
breach. There is absolutely no other way to handle the situation.

Agree with the third one though. A "click here to activate" email absolutely
needs to be standard in every sign-up flow.

~~~
fvargas
By canonicalization I'm not saying any arbitrary practice by Gmail or any
other email provider should be considered as standard. I haven't looked at the
RFC in some time, but I don't believe the use of plus suffixes is standard
either. Nonetheless, I believe plus suffixes are more commonplace, generally
permitted, and serve a reasonable purpose. For instance, sending email to a
user using their email address as provided is a good practice in order to
preserve a plus suffix which may aid the user in organizing their email. At
the same time, canonicalizing email addresses in a sensible way, e.g.
stripping plus suffixes, can be an aid for preventing unintentional, duplicate
sign-ups. Just consider a sign-up form on the homepage of a website. It's not
uncommon for people to enter their email and password into that form by
mistake thinking they're signing in. Additionally, if the website compares
canonical email addresses when checking login credentials, then a user who
signed up with an email address containing a plus suffix can sign in using
their base email. These two situations combined could lead to the accidental
creation of a duplicate account if canonical email addresses are not compared
during registration. There are some trade offs with this strategy, but as long
as the canonicalization is implemented _reasonably_ , I see it as an aid to
the user. Note that reasonably doesn't necessarily mean stripping dots.

As for the second point, I consider it a privacy breach if a service publicly
associates my email address with their service without my consent. Sign-up
forms do this when giving different responses when an email address is
registered vs not registered.

As for how to handle it, if a user signs up with a new email address, you send
them an email to verify their email address and instruct them to check their
email. Similarly, if a user attempts to sign up with an already registered
email address, you send them an email letting them know they already have an
account and instruct them to check their email, which will provide them with a
link to login.

In the latter case, if they enter the correct password, you can just directly
tell the user they already have an account, as they've proven their identity.

~~~
__david__
The problem with your canonicalization idea is that it doesn't work in all
cases. Yes, it might work with gmail addresses, but there's no way that you
can assume that "david+x@example.com" and "david+y@example.com" are actually
the same mailbox. If you _so_ assume that, then you've just broken you
websites for users where that isn't the case.

~~~
fvargas
Why would you broadly assume an incorrect rule? Email address parsers
correctly implement canonicalization rules that consider the domain e.g.
gmail. It doesn't require any extra work as a developer and the logic is
hidden behind the abstraction. But certainly, you shouldn't go implementing
arbitrary rules that aren't reasonably applicable.

------
sandov
The article is wrong: The number of email addresses is NOT INFINITE.

The 'user' part of an email address (before the @) has a maximum length of 64
characters. If n is the number of non-dot characters in the user part, then
only (64 - n) dots can be added to the address for it to still be valid.

The valid email addresses for that user are a subset of all 64 character
combinations possible with dots, alphanumeric chars, _, and a finite set of
characters that I don't remember right now. That is a finite set, therefore
the subset is also finite.

~~~
saagarjha
For Gmail, you can add a plus to the left side of your email address and then
append an arbitrary string. For example, email@gmail.com and
email+foo@gmail.com are the same address.

~~~
tejasmanohar
And, it's still finite, right? Just a large, finite number :P

~~~
saagarjha
No? You can put whatever string you want there, of which there are an infinite
number…

~~~
tialaramex
The poster already explained that no, you can only write up to 64 characters
which is not "infinite"

~~~
saagarjha
Ah, I didn't catch that.

------
aladagemre
It is weird that Netflix is allowing James to update Eve's payment information
without logging into Eve's account. I think that is the actual security
vulnerability.

On the other hand, e-mail verification should be done eventually to protect
Eve from James to recovering her account in case Eve had a typo
unintentionally.

~~~
mulmen
Pretty sure he reset the account password using the email he has. That allowed
him to access the account and view the payment information. This is why
validating email addresses is critical before accepting payment information to
a subscription service.

------
Sylos
Frankly feels like these comments are being astroturfed by Google.

Sure, Netflix should have done things differently, and technically what Google
is doing is not wrong, but if we look back at reality for a second here, it is
simply the case that many services (and users) make the assumption that only
one e-mail address leads to a user's inbox.

This breaks this paradigm and as a result does cause realistic security
issues, whether it requires a Netflix to make a mistake, too, or not.

------
gnicholas
> _but I also have access to the account because I own
> james.hfisher@gmail.com, and so I can follow the password reset process for
> this account. I did so._

I wonder if others feel that it is ethical or unethical to log into other
people's accounts in this situation.

I get lots of emails resulting from people typo'ing my email address instead
of theirs—and the unsubscribe links are often hidden behind a login page. But
I feel uncomfortable signing in using a "forgot password" link into an account
that I know isn't mine. At the end of the day, I usually just create (yet
another) email filter to automatically delete these emails (marking them as
spam doesn't train the spam filters in my experience).

I'd be interested to know what others think of the ethics of this, or if there
are other workarounds.

~~~
ada1981
I'd log in an cancel the account. Why feel wierd? Someone is using your email
address without your permission.

Curious how often this happens.

~~~
abrowne
I have firstname.lastname (although now it just forwards to my FastMail vanity
domain) and I've shut down new eBay and Amazon accounts plus received doctors
appointments and even school lunch duty emails. Sometimes I respond, and I
even forwarded a couple after figuring out one mis-user's real email
(firstnamelastname0) when a cable company csr chat log was emailed, but they
never responded so now I delete them all.

~~~
berkut
I've had the same: I have firstname.lastname, and I've had netflix, nytimes
subscription, dropbox registrations (and warnings that it's full), hotel
bookings, and many other things that are nothing to do with me, targeted to
firstnamelastname.

I also get regularly added to conversations with other people who think I'm
someone else. Again and again I've had to try and explain that they've got the
wrong email address, but it happens so often now, I just don't bother now and
ignore the emails.

------
gboudrias
Fascinating article, thanks for the info!

> The only clue in the screenshot above is that the interface says “to
> james.hfisher”, instead of “to me”.

I just tested it, and I'm not even getting that clue. It says "to me", and
it's only when I click on the little arrow that it says "(Yes, this is you.)
Learn more". But you'd have to be suspicious in the first place to click the
arrow...

I find this to be a very poor idea indeed, and hiding the clue is poor design
to boot.

~~~
Overtonwindow
Oddly a friend has an email that’s first.middle initial.last. I just tried
without dots and it got bounced.

------
SmooL
I'm sorry but this is ridiculous. The author

1) mentions the dots DO matter, and calls for they're removal as a feature,
but makes no mention of the ability to add '+{whatever}' to an email providing
the exact same attack vector

2) states this is a gmail issue, when any email provider could do the exact
same thing and have it be a problem

3) states the Netflix not verifying the email before payment is somehow not a
fix because "using someone else’s address on signup only cedes control of the
account to that person", when the receiver has full ability to _not_ confirm
the phishing account.

Netflix is what, just supposed to know and stay up to date with all possible
email providers various email mappings? No, rather, they should verify the
email address before payment. Granted, the onus is on the user to notice a new
'Confirm your email with Netflix' email. Maybe Netflix could make it really
obvious that the email is for a _new_ account? Defense against phishing
attacks will always rely on some amount of intelligent user behaviour, if a
user is going not going to read an email and blindly click-though I'm not sure
there's much that can be done anyway.

~~~
hbosch
Author does mention the “+” feature.

------
elvirs
Netflix was billing TWO of our cards for the same account EVERY MONTH! when I
finally noticed this and called Netflix only last charges were refunded.
Netflix has very loose rules when it comes to billing as long as they are
getting paid

------
tehwalrus
Or, whenever you get an unexpected email, go retrieve your credentials from
your password manager, log in via the main page, and check you can see the
message/problem it's referring to.

(Some of us use the dots to trick some sites into using a nonstandard email,
rather like the username+netflix@gmail trick, so you can see who sold your
email to the viagra trolls. Some sites reject + in emails, making the dots v
handy.)

------
chenning
Netflix should validate the email account. But, also, when you get the email
to update the invalid credit card information and you click on the link,
shouldn't Netflix force you to Sign In? This kind of security step is already
common to thwart attack vectors where someone finds your computer unlocked and
tries to reset your password on you. Google does this when you go to
accounts.google.com. They always verify it is _you_ sitting in front of the
computer. So getting back to the Netflix situation, once you click on the link
to update your credit care info you won't know the password for the rogue
account and it's not your account UUID or whatever so I'm assuming Netflix is
smart enough to make you prove it's you by entering the password. But you
won't know the password. If you were tempted to click Forgot Password and go
through all that rigamarole, then you hijacked the attacker's account. I guess
what I'm trying to say is, most of the issue here should already be solved by
appropriate defenses against different types of attacks. No?

------
sofayam
Interestingly Gmail will let you filter in a dot sensitive way. Anyone missing
my dot gets sent to a folder called “wrongguy”. Whenever I drop by to look at
it it’s full of spam.

~~~
everybodyknows
That works for the usual, accidental missing-dot case. Won't work for phishing
that injects a '.' in some other position.

------
_cereal
It happened something similar to me a few weeks ago: the scammer registered an
account indicating my Gmail address, with dots. I wasn't signed to the service
with that address.

When I asked Netflix's support to remove the association of that account with
my e-mail address, they replied I had to change the card details with mine,
because it was like I was "stealing" the scammer account credit card. I
replied I would not add my credit card details. The operator then wrote me he
was going to invalidate my e-mail address so that the user that would log in,
had to change it. And that it should solve my issue.

The problem, for me, is not the Gmail feature. Nor the dots, neither the plus
addressing. It's a lack of the validation systems. Just verify the e-mail
ownership before allowing any interaction.

------
billsmithaustin
Some guy from the UK uses my Gmail address all the time. I once received a
British Airlines confirmation for him. After clicking on the link (no
authentication required!), I arrived on a page where I could change his
notification settings. His phone number was listed there, so I texted him
asking that he stop using my email address. He replied back and sounded
alarmed that I had his phone number.

I also received a photo of his passport once. Using that, a friend in the UK
was able to look up his parent’s home address. I phoned them up and left a
message asking that he stop using my email address.

He’s still using it, so I eventually set up a Gmail filter to shunt his likely
emails into a separate folder. I’ve changed my password since all this
happened, and I don’t get why he still uses my address.

------
anotherevan
As an aside, it seems a lot of people assume your email address is just your
first name and last name with "@gmail.com" tacked on the end.

I get a lot of emails for other Evans this way. I've had wedding invitations,
been CC'd in on rental dispute discussions and all sorts of stuff because of
this assumption.

The most recent was an invitation to edit a 5th grade basketball roster google
doc. So at the top of the document I wrote a politely worded rant on the
subject of email addresses. At the same time, the original author was editing
the document and trying to delete my rant as I was typing it, so we had a
little battle going on for a few minutes. I reckon that's one person who will
never do that again.

------
joering2
On the subject of reading someone else emails:

When a company that I worked for went under, I managed to catch their falling
domain name. I setup catch-all which was mostly boring emails of ex emps
Fecabook notifications and some bills etc, BUT the emails for the owners and
few top execs were very interesting. In that sense that 3 years later I
decided to build exactly the same business (well, one of a few)

Now it is running mostly on autopilot with $2.5MM annul revenue. Many times it
obviously is what you don't know that is stopping you from entering the
market. Everything I learnt by reading my ex bosses emails in few years
allowed me to setup somewhat successful business, all on the side.

------
planetjones
It’s not just Netflix. I am having the same problem. Someone has signed up to
instagram, yahoo and others using a form of my mail address without the dots
(the one I chose had the dots before I knew gmail didn’t care). I believe a
lot of them are spam accounts. But what do I do. I don’t want to spend time
trying to speak to a customer service rep for companies that don’t want to be
contacted.

Instagram had a link at the bottom of the mail called ‘remove your email from
this account’. I click it and it says it’s not a valid link...

I don’t want this from gmail. I want the address I signed up with. It should
be simple. It’s hard to explain to others why the dots don’t matter.

------
zAy0LfpBZLC8mAC
Really, it was simply your mistake for following a link in an email and then
entering credentials where you landed, i.e.. you fell for phishing.

The idea that a company should only accept one account per email address is
bullshit (it a contact address, not an identity), and if they don't do that,
any of that "don't allow any aliases for email addresses" on the part of the
email provider would be completely pointless anyway. You simply don't use
context delivered by email as a starting point for disclosing credentials, and
you have solved all (email) phishing attacks.

------
tapirl
The opinion of the author is ridiculous. What about someone use your email,
without dots, to register as a netfix user?

~~~
fareesh
You won't pay for it then since you know you don't have a Netflix account. In
this case you have one and you mistakenly pay for theirs too.

~~~
tapirl
What about you have ever used another of your emails, without any dots, to
register as a netfix user?

------
mayneack
I prefer creating a unique email alias from dots more than plus. Especially if
I sign up for something I'm worried will leak my email address to a third
party, I use the dots. A malicious sharer of emails could trivially strip all
the "+site@gmail.com" before sharing, but they can't know ahead of time if
they get my primary email by adding or removing dots.

Also, a few times when I've signed up with "name+service@gmail.com", I've then
failed to unsubscribe because their unsubscribe form didn't accept the + but
the subscription form did.

~~~
zupa-hu
The malicious sharer could modify the rule to not only remove the "+site" part
but remove all the dots. Then, your trick is useless.

They might realize the "+site" and not the dots, but your point was about
ability not awareness. ;)

~~~
mayneack
except my "real" address has dots, so I know that 0 dots are being cleaned. I
just can't tell who did it.

~~~
zupa-hu
Which doesn't provide extra information for you, as you probably don't go
around subscribing to spam mailing lists.

But all right, '+site' is more well known, so it does definitely work better.

------
bluedino
I can’t belive how many services don’t validate email. I have a fairly common
name and my gmail is first.last@gmail.com

I get so many emails that aren’t for me, more than one person out there thinks
they have firstlast@gmail.com

~~~
anonfunction
Same thing happened to me with my original gmail address. So much spam before
google was really good at filtering it. Had to change address to include my
area code, and of course I don't live there anymore.

I don't understand this though, how do they think they have an email address
if they were never able to create it or sign into it? I think more likely they
forgot the number at the end or something like that.

------
ellisv
I haven't had issues with the dot feature but have run into problems using
plus.

My problem was that I used a "first.last+website@gmail.com" format when I
signed up for a website and some time later I needed to contact customer
support by e-mail. They had no record of my account because my e-mail came
from "first.last@gmail.com" and not "first.last+website@gmail.com".

It turns out there _is_ a way to send mail from "first.last+website@gmail.com"
but I don't think it existed at the time.

------
cestith
____* The below is copied verbatim from a deeper branch of the thread, but may
clarify some things for others as well. __ __*

Those are three different addresses. On some systems they may be three
different accounts. On others they may be one account. On some systems,
anything ending in '@example.com' may be a single account.

It may be that defined address to account mappings exist on a domain and all
other addresses map to a default account. It's common enough the hosting
industry supports it and it has a name - a catchall email account.

Nobody sending mail to any of those addresses needs to know how many addresses
map to the account associated with the address to which they are sending. It's
an address, not an identifier. I would argue you don't have a reason nor a
right to know the address to account mappings in my systems.

What a sender should reasonably expect is that someone who can receive mail
delivered to a particular address is in charge of the email account to which
that address maps. Sending a verification email to someone expecting to
receive it is the way to validate the recipient is the intended recipient.
That's it.

If I give you my phone number, do you need to know what other phone numbers
will ring that phone or how many phones I answer in order to call me? Do I
need to disclose all the possible places I might receive a package if I want
one delivered to a single place? No.

Email addresses are addresses. That's all they are. Stop pretending they are
something else, and this will become much clearer for you.

------
esdott
The real kicker here though is that it IS possible to have registered a
separate email address in gmail with a dot. My wife has been dealing with this
in the opposite, she has a valid first.last@gmail and another person has a
separate firstlast@gmail. She has the dot but frequently gets emails for the
non dot address. We’ve gotten to know the person over like 10 years. If we’re
victims of some sort of con game, then they’re certainly in it for the long
haul...

~~~
Gigablah
But how do you know that the other person registered a gmail account, as
opposed to, say, them registering the wrong email address with the email
senders?

~~~
astura
Send an email and see if that email shows up in your inbox?

~~~
Gigablah
If gmail ignores dots in the email address, of course that email is going to
show up in your inbox.

~~~
astura
And if it shows up it someone else's inbox then you know that the other person
registered a gmail account with the dots, which was the question.

~~~
Gigablah
Which goes back to my question; how did he know that there _is_ another inbox?
Unless he happens to know the other person... well, in person.

And if he knows them in person, why hasn't either of them switched email
addresses already (within the last 10 years)? Something doesn't add up here.

------
Camillo
Removing the dots and the pluses is not enough.

Let's say that James Fisher also owns jameshfisher@yahoo.com. Eve finds that
jameshfisher@gmail.com has a Netflix account, so she registers a new account
with jameshfisher@yahoo.com. The scam proceeds the same way; if James
registered for Netflix a while ago, he may not remember whether he registered
with his Gmail address or with his Yahoo one (he has some services registered
with the one, and some with the other). If he set up forwarding from his Yahoo
account to his Gmail one, or if he's using a mail client, he may not even
notice that the message went to a different address.

So the solution in this case is for Google to disallow registering
jameshfisher@gmail.com if jameshfisher@yahoo.com already exists? Or to display
phishing warnings on every email that was sent to a different address (and
possibly forwarded)?

Maybe Netflix should simply verify the address upon registration after all.

------
dbg31415
> Actually, the blame lies with Gmail, and specifically Gmail’s “dots don’t
> matter” feature.

Totally wrong.

Dots don't matter is a great way to filter your messages without giving an
obvious filter. An example...

I used to use first.last+yourcompany@gmail.com when I shopped online. But a
lot of companies started blocking addresses that contained a "+" as an invalid
address.

So now I use firstlast@gmail.com for general shopping, and first.last@gmail
for friends and family. Lets me easily keep the same inbox, but filter all the
unwanted crap.

Also, I like to rotate it around a bit -- since the lack of a dot doesn't
really give me much insight... I will put the dot in based on which vendor I'm
working with -- f.irstlas.t@gmail.com, for example -- then use my password
manager to keep track of which vendor that goes to... another easy way to just
block all crap I don't want from my inbox.

~~~
daveFNbuck
You've explained why dots don't matter is a useful feature, but that has
nothing to do with whether it's responsible for some security issues.

------
ChicagoDave
I just got a non-dot response to someone paying their Duke Energy bill,
addressed to my name. I did find another person with my name in Indiana so
maybe they screwed up their rmail? I checked my credit and I have no fraud
activity, so it’s just weird.

I don’t like the dots-don’t-Matter policy. It’s just an opportunity for abuse.

------
megablast
If they can get 6 months free access to Netflix with a dodgy CC, just keep
going down that route. No reason to do the double scam when a single is
working so well for you.

> Gmail already provides this in the better form of “plus labelling”

True, but lots of singups disable the +.

Netflix should do what everyone else does and do an email verification test.

------
jiveturkey
Speaking of plus addressing, too bad gmail doesn't have a feature that
automatically adds a label of the "detail part" of a plussed address, without
having to create the label and a specific filter for it. That'd make it so
much easier to create vendor-specific addresses.

1\. ignore all mail coming to the base (no plus) address that isn't also
whitelisted/greylisted (too bad gmail doesn't support greylisting)

2\. give out foo+vendor to any vendor, or foo+date to throwaway time limited
mail. now you can see how +vendor gets distributed and decide to block all
such mail easily.

3\. stop accepting the time-limited mail after some period. eg

    
    
      +2018     stop accepting after 2/2019
      +201803   stop accepting after 4/2018
      +20180407 stop accepting after 4/8/2018
    

boom, magic filters.

------
neil_s
I don't understand why this post made it the front-page. As many have pointed
out in the comments, Netflix should be verifying ownership of the account.
Also, when you click the link, you would be either taken to your own logged in
account on Netflix, or you'd try to log in with your canonical address. James
in this case decided to get access to alternative email address Netflix
account, but when he reset his password, the "attacker" can no longer control
the account. They may still have sessions open that'll give them free TV for a
while, but won't be able to change the password because that should trigger a
prompt for the old password even when logged in. So I really don't see the
attack vector here.

------
whack
This seems like a really easy-to-fix problem on Netflix end: require the user
to log into their account (or be logged in) prior to entering their payment
information. This would completely eliminate the attack-vector the author
mentioned.

I can understand wanting to minimize user-friction, but if you're asking
someone to enter their payment information, it's very reasonable to have them
log in first.

Email aliasing (dots/plus) in gmail is very useful to many people, and it
seems overkill to blame Google for having introduced it. Besides, getting rid
of it at this point would break backwards compatibility for a huge number of
users, so the author's idea is completely infeasible.

------
_bxg1
I tentatively agree that it's an anti-feature and should be phased out, but
the risk seems pretty small.

1) It can only be exploited on sites that don't verify email addresses, which
is a relatively small number 2) In Netflix's case it's a pretty small "scam".
$14 each month which you'd probably notice on your credit card history isn't
going to break the bank. And presumably Netflix doesn't ever show a user's
full credit card number, especially before email verification.

It's an interesting case, but I can't think of any bigger ways this could be
exploited.

------
Lazare
There's a bit of a logic issue in the proposed attack.

> 7\. Change the email for the Netflix account to eve@gmail.com, kicking Jim’s
> access to this account.

This assumes that Eve is 1) still logged into the session despite the fact
that Jim has changed their password and 2) that Netflix does not require a
user to provide the current account password to change the email.

I have no idea if Netflix does item 1; it's debatable, although it might be a
good idea in some cases. But item 2 is a super basic security; I can't imagine
they don't do that. And if they do that, then there's no real attack here.

~~~
daveFNbuck
If they don't do item 1, you could pull off the scam by just staying logged in
to the same session forever.

------
zan
There are more ways to resolve this.

\- Netflix shouldn't charge cards without verifying email addresses. Security
should be an integral part of UX, and not subservient to it.

\- Individual email address canonicalisation/resolve _could_ actually be a
standard. I'm not sure whether it is or not, but if we can agree on emoji we
could also maybe agree on something that binds the internet together. Email is
infrastructure, Netflix is not.

\- There is still a potential issue by having configured catch-all email
addresses on some domains, but we should in that case optimise for the
hundreds of millions of gmail.

------
anishgt
Why is it okay for the link on the email to automatically sign you into your
Netflix account? I received a similar email as well and suspected a phishing
attempt and was genuinely surprised when it wasn't.

------
merinowool
Gmail has all sorts of bugs or had. I had used to get a lot of email addressed
to someone else. These were genuine email - when I forwarded them to the
intended recipient (basically resend to the "to" address) I got responses from
people thinking I am a hacker or being stunned why would I get their email.
After that I decided to just ignore those emails, especially that I haven't
got response from Google. These had in common that they didn't use gmail
domain. It was long time ago and I don't think I got any of those recently.

------
mekoka
Many here don't see a window of attack, the reasoning being that if the
(presumably) malicious user gives the wrong email address they lose access to
the account. Same outcome if the password gets changed by the recipient of the
message. I'd like to offer a glimpse as to a potentially alternate outlook.
Maybe it doesn't even apply to this specific situation, it nonethelss has a
general relevancy to this conversation.

As an alternative (and sometime supplement) to the regular email/password
sign-in, social sign-in is increasingly popular (mainly with OpenID Connect
aka Authentication with OAuth2.0). A clear realization by many that have
implemented social sign-in has been the separation of concerns between
"account management" and "authentication management", which has the natural
and arguably convenient side-effect of connecting multiple identifiers to the
same account. The way it's done is that registered users are offered the
possibility to _add_ alternate sign-in methods to their existing account (e.g.
you registered with Google, now you can add Facebook, or email/password).

The multiple login channels feature when correctly implemented with only
OpenID Connect is safe since the identifier verification step is always part
of the flow. Chances that the owner of the account unwillingly adds a sign-in
channel not under their control is slim.

Consider on the other hand a situation where an organization would attempt to
offer the same feature with OpenID Connect and their own email/password flow.
If they do the latter à la Netflix, that is without confirming that the user
owns the claimed email, there's your exploit window.

Malicious user John registers the account using social login (lets say
Facebook). He later adds email/password as a login method along with an
invalid credit card, but he uses unsuspecting user Jane's email, much like it
was done in the Netflix case. Jane receives a message and thinking that it's
her account that needs updating she first changes her password as a
precaution, before "correcting" her credit card info. All throughout never
realizing that an additional social sign-in option is enabled (Facebook).

As previously said here by many, always validate that the user owns the
address you're communicating or authenticating with.

------
nearmuse
Can't understand people who are trying to place blame on a single service. IMO
Gmail has to make those addresses disabled by default. I doubt that most
mistypes come from dots, so it is useless to handle mistypes. So it is only
useful to have those multiple email address to use them in different places.
Then why enable them by default? You can still own them but they can be
disabled until you need them. As for Netflix it is obvious that emails have to
be verified before any usage begins.

------
Grue3
The site that doesn't verify that the user who signed up owns their email is
obviously at fault here. I had someone register on Twitter with my actual
email, and it was never verified. Later when I wanted to register on Twitter I
found that my email was banned because the user who registered with it was a
random spamming bot from Malaysia. I was never even notified when someone
signed up with my email, nor when my email was banned. Looks like Netflix uses
the same braindead system.

------
mattbierner
Email addresses should only be used as contact info, not as a login name (and
login names should also be different from your display/user name). Maybe I’m
paranoid, but many sites will gladly tell anyone who knows your email that you
at least have an account there. As the browser/password manager already fills
in the password, why not just randomly generate the login name too? I
currently use email aliases and burner email addressees on sites that don’t
handle this well

------
sabujp
ebay in india also has no email based verification and can use phone only
based verification because users are actually more likely to have a phone #
and only use sms than any email or chat app. A person from india used my mom's
email address (a us resident/citizen) to sign up and purchase men's underwear
from ebay.in (with no email verification). She had never signed up for an ebay
account. I took over the ebay account and after speaking with an ebay rep it
seems there was no way to even convert the ebay indian account to an ebay US
account. Customer support in the US didn't even think it was possible to sign
up for an account without a valid email and thought her email was hacked
(which it wasn't!). Unfortunately all they could do is offer to disable the
account forever. So now if she ever actually does want to use ebay she'll have
to use an address like foo+ebay@gmail.com or intersperse her addr with dots
assuming ebay allows it. I did email ebay's security disclosure team and I
only got a reply saying that they would look into it.

For some added fun and since I was pissed for all this wasted time (figuring
out what exactly happened, if my mom's email was hacked or not because I was
very confused initially about not seeing an email verification email from
ebay), I call the guy in india and asked if he had ordered some chaddi's, he
said yes, freaked out and hung up the phone.

So yes the moral of the story is companies, PLEASE VERIFY YOUR USERS' email,
or if you don't then don't associate that email address with the account and
only do business with that user through SMS.

------
tomohawk
Many of these scams are based on people clicking links provided in emails.
Just don't ever click on those links. Go to your favorite password manager and
log in yourself.

------
written
It's a user's problem. If user is willing to click through some unsolicited
email and _pay_ , he will probably click on the verification link too if the
service would send those.

It's still a statistics game. Not everyone would pay without verification and
not everyone would click the big green button in the verification mail, but
some people will without realizing what's up, just like people fall for
Nigerian scams mails.

There's no technical solution, only education can help.

~~~
georgeam
I believe there is a technical solution. The verification link should ask you
for a password or a passcode of some sort which is provided to you out-of-band
--- ie, not via email. For example the webpage where you sign up can give you
a short 6 digit passcode for the purposes of validating your email. Then the
link that you are sent via your email directs you to a form that asks you for
the passcode. That way another person can't validate the email if you mistype
your email address as their email address and the validation link is sent to
them.

~~~
written
That's pretty good. It would require some serious gullibility to defeat. If
it's active attack, attacker may send the second mail with the passcode and
instruct the user to enter it.

Though people are forwarding their second factor SMS confirmation codes for
their banking accounts to attackers upon request, so it's not too far fetched
someone would find a way to trick some users to enter it.

Here's one study about the phenomenon (the N is basically zero, but this
happens and banks are warning people against doing this):

[https://engineering.nyu.edu/files/VCFA_PasswordsCon15.pdf](https://engineering.nyu.edu/files/VCFA_PasswordsCon15.pdf)

------
yani
This makes no sense. Only 1 person can receive the email with or without dots.
How can this be taken advantage of when you have to login on netflix to update
your card details?

~~~
georgeam
You don't have to login to Netflix to update your card details. Since the link
you follow is coming from inside your email account, effectively Netflix
considers you to be already logged in. And we are arguing that they should
not.

------
Exuma
Completely disagree about the solution, I use that all the time and it's very
useful.

This would be a Netflix issue IMO for not validating emails properly and
allowing duplicate signups.

------
qimingweng
Have never thought about this vector, good to learn. Doesn’t the “+” matter
too? You can sign up with <victim>+<anything>@gmail.com...

------
everybodyknows
My work-around:

1\. Create a filter on "To", with correct dotting, with the action being to
apply a new tersely-named label e.g. "dot".

2\. Color all instances of the new label a greenish shade to signify goodness.
Do this by going back to Inbox, hovering over the name of your new label,
clicking on the downward triangle, and following the menus from there.

Anything incoming lacking the green label is a suspect.

------
Alex3917
This is exactly why you need to normalize email addresses. The people who
wrote the email RFCs just plain got it wrong, so it’s up to every SaaS site to
do this so that they aren’t putting their users at risk. If someone is using
an email with that’s the same as someone else’s except for the capitalization,
it should be on them to get a new email address.

~~~
HankB99
My understanding is that the RFCs define how the Internet work so by
definition, they are not wrong. You're certainly free to assert that they made
a bad decision and I'm not qualified to offer an opinion on whether you are
right or wrong.

However since Netflix is not managing email addresses in accordance with
RFC-5322 They are clearly wrong.

~~~
zAy0LfpBZLC8mAC
> However since Netflix is not managing email addresses in accordance with
> RFC-5322 They are clearly wrong.

Where are they not?

~~~
HankB99
I was wrong. I cannot find any information that indicates that the RFC
specifies that the period is not significant, only that it is allowed. In this
case I suppose it is Google that is wrong.

~~~
zAy0LfpBZLC8mAC
How is Google wrong?

~~~
HankB99
They consider email addresses composed of different (valid) characters to be
equivalent.

~~~
zAy0LfpBZLC8mAC
They do? How so?

------
wiradikusuma
I disagree with the conclusion. I own the domain name sweet.id and it has
catch-all email.

Apparently some people (all women so far) found my domain name cute, they use
it to register services (usually Twitter).

Maybe they think "Email" field in the signup form akin to "Username",
something you create instead of something you already have.

------
fatnick2001
THere is SO much more to worry about than 'dots'
[https://www.reddit.com/r/sysadmin/comments/7wnz7e/this_years...](https://www.reddit.com/r/sysadmin/comments/7wnz7e/this_years_fosdem_talk_about_the_insanity_of/)

------
msiddiqui
It's a Gmail issue. I sometime gets wrong mail coz of this FEATURE. Not
talking about any specific site. Gmail to Gmail only.

Just to clarify with an example: My email is: abcd.wxyz@gmail.com Other guy:
abcdwxyz@gmail.com

I wonder how many of my emails the other is receiving. All my stuff is linked
with Gmail. Any suggestions to resolve this?

~~~
tialaramex
There is no "other guy" getting your emails.

There are just idiots who genuinely don't remember their own email address. So
they'll type in your address, or the dotless variant of it, and as described
for Netflix this "works" except you get all the stuff sent to you.

------
joeblau
I get emails to my gmail account for some elderly person who lives in NYC
about him not seeing his doctor all of the time. He has my same email address
with a dot between his first and last name. I used to reply to the emails
saying they had the wrong person, but now I just auto delete them.

------
sankalp_sans
Slightly off topic, but why Gmail built a feature of Dots Don't Matter is
beyond me.

Might have been a happy accident for all I know, but it changes the behavior
that people expect from emails, which IMO is a bit of an inconvenience for
other systems that rely on uniqueness of email addresses.

------
39297
Does it means that if I know a person's email is firstnamelastname@gmail.com,
I can register firstname.lastname@gmail.com to sniff all the email of
firstnamelastname@gmail.com?

If that is the case, that is pretty scary and I cannot trust gmail to proceed
my payment related email anymore.

~~~
mystcb
No, you can't sign up like that - you can choose to register the
firstname.lastname@gmail.com and it will make that your primary. If you sign
up without the dots, you get an error message:

"Someone already has that username. Note that we ignore full stops and
capitalisation in usernames. Try another?"

------
shkkmo
I would note that while Gmail is the only one to ignore periods in the local
part, many services ignore capitalization and face the same issue.

Many services do strip capitalization when checking email address uniqueness,
but this is as much a mistake as stripping dots.

------
fiatjaf
If you're reading this and thinking about implementing your own email
registration flow, I suggest that you use something like
[https://portier.github.io/](https://portier.github.io/)

------
laszlokorte
The problem is simply that apparently you do not have to authenticate via
password before entering/changing your credit card details. The scammed user
should not be able to authenticate for the scammers account just by receiving
an email.

------
uniformlyrandom
> But firstly, no one wants this infinite set of email addresses.

Fuck off, that is my favorite feature.

------
agumonkey
Also while we're on dots, android has troubles with them, it suggests
yo...ur.na..me.......@gmail.com and other variations on that theme. It's
alright though, that's the kind of error that's so bad it's good.

------
primevaldad
Isn't email verification after onboarding, and prior to any account management
emails a viable solution on the part of Netflix here?

What they want is an easy way to begin using subscription. What users need is
a safer process to manage their account.

WIN-WIN?

------
jiveturkey
Article is wrong in several ways. Like correcting someone's grammar, one
should get the facts straight first. So many here have also got it wrong, so
it's not super surprising but those posters here haven't gone and published a
righteous article making wrong conclusions.

First, this is all on Netflix. Regardless of what any provider does, Netflix
has to protect its own accounts and the obvious way to do that is to verify an
email address before taking payment info. It could do that in a specific way
(per-provider, understanding how gmail specifically treats addresses) but
treating it in a generic way seem better and insulates them from changes to
gmail or other providers.

Now, gmail certainly could do things that bring attention to the quirks of
their own platform, but that doesn't take any of the onus off of Netflix or
any other service to DTRT themselves.

The flaws in the article:

1\. You cannot have an infinite number of addresses. per RFC 5321 par
4.5.3.1.1, only 64 chars are allowed in the mailbox name.

2\. Further, unless the mailbox is quoted, eg "mailbox", then dots may not be
at the beginning or the end, and consecutive dots are not allowed. (RFC 5322,
par 3.4.1 and 3.2.3). The article doesn't mention the need for quoting in its
description of "infinite" addressing. This is due to the use of dots to
atomize the text around it, for domain name parsing. It happens to be used in
the local-part for some reasons, I suppose because dot isn't otherwise allowed
and they didn't want to create another named grammar item.

3\. There is no requirement for plus or dot to be non-unique elements. RFC
5233 defines plus addressing, but this only applies to systems that care to
treat the plus in this special way. There's no general requirement that
foo+bar and foo+baz are both subaddresses of the foo mailbox; they could
instead be 2 distinct addresses. The specific relevance is that Netflix should
treat plus just like dot -- don't treat it specially.

------
mulmen
Relying on email providers to do the right thing (read RFCs) so you can avoid
best practices is the wrong conclusion to draw here. Netflix should validate
all email addresses. It's really, really basic stuff.

~~~
cestith
I've read the RFCs for email. The RFCs explicitly state not to make
assumptions about another site's use of the local part or how it maps an
address to a user/account.

------
Gaelan
I think the best solution for this problem is to move the password setting
after the email verification, so that if someone has an account attached to
their email, it has a password that they sed.

------
grepthisab
Note the link in the article to throwaway credit card number provider (and yc
company) Final is no longer valid because Final is defunct. Well, the link
works, but you can no longer sign up.

------
antsam
I think I'm missing something here. If he reset the password and the email
address of the account now points to his inbox, then how would the scammer get
back into the account?

------
IncRnd
The two security issues are user phishing and Netflix not performing
canonicalization of email addresses. he signup process itself is not a
security issue.

The issue from the perspective of the user should be that the author clicked
on a link in an html email, when he should have instead gone to Netflix.com.
He clicked first and only then checked. Gmail even warned him of the phishing
possibility, and he still clicked on the link! He is the vulnerability that
was almost exploited.

It is true that there are other issues with user interactions, such as Netflix
allowing signups without email verification, however those were purposefully
designed that way by Netflix. They are features not bugs.

~~~
stordoff
> Gmail even warned him of the phishing possibility

Where are you seeing this? I see no warning in the screen shot.

> Netflix not performing canonicalization of email addresses

AFAICT, Netflix CAN'T canonicalise the email address (unless they start making
assumptions about specific providers) -- according to the RFCs, they can be
different email addresses.

------
Anm
I appreciate the "dots don't matter" feature, but have always felt it required
an API for external developers to canonize gmail addresses for this precise
reason.

------
anonu
I wish the plus trick in Gmail would work with others... But most websites
either think the address is badly formed or, in some cases, strip it out. Poor
form if you ask me...

------
EugeneOZ
This happens when some company makes own sub-standard over existing. To follow
their standard about dots, all programmers should hardcoode gmail.com domain
check about dots.

------
gandutraveler
In my college days I used for feature for ' refer your friend' promotions like
uber, doordash etc. I still believe it works but haven't tried it recently.

------
howlowck
It sounds like there are two security flaws: 1\. No email verification upon
account creation. 2\. No sign in requirement when updating payment info (which
seems absurd)

------
drinchev
I don't agree with "It's gmail fault" and also I don't think Netflix should
validate the e-mails. Why?

Most of the startups I work for don't require a valid e-mail when you enter
your payment information. Reasons are multiple - conversion drop, "we took
your money, we don't care", the e-mail is anyway entered with the payment
provider, etc.

Also what comes to your e-mail and you act on is your responsibility. I don't
know about you, but I don't pay for more than a dozen services with my card
and I usually am aware when / what is being paid, so a scam like this would be
easy to detect.

------
bhartzer
Exactly why I don't use a gmail email address for anything important (like my
user accounts). Instead, logins for important accounts use my own domain name.

------
emodendroket
I guess this phishing attack is unfortunate but the dot thing is handy and,
perhaps more importantly, people will stop getting their e-mail if they break
it now.

------
darpa_escapee
>But firstly, no one wants this infinite set of email addresses

Weird, I've been using this feature for a decade. It's one of the features
that keeps me on Gmail.

------
kome
I don't get most people in this discussion... google is implementing something
NOT standard, but the fault is Netflix?

That's not the internet is supposed to work.

------
noonespecial
I get it, but I absolutely use that gmail feature to give out different
versions of my address to see where things come from. I'd hate to see it go.

------
frogperson
So the dotless version is essentially the catch all, and anyone using a dotted
version is at risk of losing some email to the dotless account holder?

------
monochromatic
So don’t click through from the link in the email. Just go to the website
manually, like you should already be doing. Problem solved.

------
go_prodev
I think he missed one detail...

Eve in this scenario wouldn't be able to get back into the account once James
had reset the password.

~~~
CamelCaseName
IIRC Netflix accounts stay logged in over password changes, but there would be
no way to change the email back.

I really don't see how this could be an effective scam.

------
zachweisman
Netflix probably deliberately ignores this loophole because it boosts
subscribers and revenue.

I'd guess 25 million Netflix users use gmail accounts (~20% of 120M).

I'd guess 1 in 100 of those have been victims of this scam.

This would mean 250,000 victims are overpaying a cumulative $30M per year.

Given how popular gmail is, Netflix and others should disallow duplicate
account where the only distinction is the dots. They should also force email
verification within 30 days of signup.

------
mobydickship
Get your own domain, problem solved. Hanging out where the rest of the world
are is bound to cause problems.

------
lossolo
That's why I use normalization for gmail addresses that my users use. It
solves the problem completely.

------
paulie_a
It also doesn't help that ymail.com is a valid domain for yahoos email
service. That is ripe for typos

------
thetruthseeker1
Seems like a classic case of standardizing interpreting email moniker. Need an
RFC for this

------
whitexn--g28h
Reset that password and change all the contact info, now you have two netflix
accounts!

------
mjcohen
A large portion of my gmails are incorrectly sent. I have a standard response
ready.

------
tckr
Netflix deliberately doesn't verify sign-up email addresses. They are to
blame.

------
Overtonwindow
I agree with the conclusion because for years I’ve gotten bills for this guy
who has a middle initial different from me. Sometimes people put in the wrong
email. For him it still works but I get all of his billing etc. Turning off
dots would make their emails go away and his account more secured.

------
fatnick2001
THere is SO much more to worry about than 'dots':
[https://www.youtube.com/watch?v=xxX81WmXjPg&ab_channel=FOSDE...](https://www.youtube.com/watch?v=xxX81WmXjPg&ab_channel=FOSDEM)

~~~
Froyoh
Pretty straightforward.

------
kyberias
Using email for 30 years and TIL that dot's don't matter.

~~~
daveFNbuck
That's not a feature of e-mail. That's a feature of gmail. The dots do matter
for many other e-mail providers.

------
Pxtl
I frequently use the dots-dont-matter feature as a substitute for plus-
labeling when dealing with sites that prohibit pluses in their email addresses
(which is painfully common).

That said, I have a firstname.lastname Gmail account and I get a lot of email
following this problem:

[https://xkcd.com/1279/](https://xkcd.com/1279/)

And some have the dot, and some don't. Piles of services. Sometimes I get
confused for a second because they're services I use.... but maybe registered
under a different account.

The number of emails that don't include a "this is not me" link in them is
pathetic. Or that require you to sign in with a username and password to
contact support.

------
supercall
You write very well, this post was good to read

------
skskkk
this is nothing new. people used to do this in maplestory a long time ago for
multi accounts under one email

------
tanu057
Just test dots sont matter, And really they don't matter

------
jh72de
workaround: define a filter

------
vitorfs
Something very similar happened to me because of the whole dot issue and
Netflix not verifying their customer's email addresses (double opt-in).
Someone created a Netflix account using a dot-variant of my Gmail and at some
point, I received a similar email asking me to update my payment info. Right
from the email, I saw it wasn't my account and thought someone else used my
email by mistake (this happens a lot to me because I have a common name and a
short email address).

What I usually do is request a password reset and delete the account or just
remove my email address from the account. But in the Netflix case, the "update
payment" button on the email log you to the account without asking for the
password or anything. For the most part, people sign up to junk services/games
or is just creating a throwaway account. But this was looking like a legit
mistake. This person was actually using the Netflix account and had the
payment info there and everything. I tried to just change the email address to
something else but it required to confirm the password to change the email. I
could just request a new password and change the email, but I was trying to be
careful here because I didn't want to screw this person. I started to
investigate a little bit more. Maybe this person had the account connected to
Facebook, so it would be okay to change the password and remove my email and
the account owner would still be able to log in. But it wasn't the case. I
checked the watch history, just Peppa Pig and movies for kids. The name in the
account was a female name. Probably a mom that created a Netflix account for
her child. At this point, I was feeling super guilt to remove my email address
and lock this person out of the account. All I could think of was a monday
morning, the password not working, the kid crying out loud, the mom trying to
figure it out. Anyway, I was just trying to not cause someone trouble.

So I thought about trying to find this person on Facebook or something. She
had a not very common name so it shouldn't be hard. The payment method on
Netflix was direct debit, so I had her bank account number. From the bank
account number, I got the number of the bank's agency, and a quick google I
discovered in which city her bank's agency was located, so it made the
Facebook search very precise. There I was looking at her Facebook page. The
profile picture it was a happy family of three: mom, dad, and the little
child. Browsing a little bit her public feed I learned that her kid had my
name (Vitor) and that explained why the account name had her name and the
email address was a different name (her kid). So, either she created an email
address for a 1-2 years old and mistyped it, or she just typed whatever email
and created the account. The second option seemed more plausible. In any case,
she seemed pretty much clueless and I thought about how to approach this and
explain to her what was going on. So, I started to write a message... but it
sort of started to sound weird/creepy, like how I got her contacts, and I was
worried that she was going to think I was trying to scam her or something, so
I gave up and said whatever. I still receive her (I mean, her kid's) movies
recommendations.

------
ryanlol
Am I the only one who thinks this is a total non-issue? Neither Google, nor
Netflix screwed up. Only the guy who wrote this ridiculous blog post.

This is very difficult to exploit and the most you could gain is a Netflix
subscription. This is an incredibly complicated form of phishing which is
entirely mitigated by the fact that it is difficult to execute for essentially
zero return.

You have to be truly delusional to think that someone would waste their time
trying to perform this attack when they could instead download a public
sentryMBA profile and get hundreds of working accounts in seconds.

------
dahidahi1
Oh my god. This is quite a hurried at conclusion that the "dots-do-not-matter"
is a misfeature of Gmail. This feature has prevented so many instances of spam
that I cannot count them. Of course, I love the "+spam@gmail.com" feature as
well, but I can't use that as often because most email field validations
prevent the "+" character in email addresses.

------
tzahola
It's a Netflix issue. They let people register email addresses which they
haven't proved to be in possession of.

Takeaway for developers: no email should be sent to unverified addresses,
except the verification emails. An "I didn't register for this" link is also a
must have in these letters.

