Industry News

Gmail ‘dots don’t matter’ feature exposes Netflix users to phishing attacks

If your Netflix account is registered with a Gmail address, beware of any emails from Netflix asking you to renew your payment info. This, according to a developer who came within inches of paying someone else’s Netflix bill with his credit card number.

James Fisher signed up for Netflix in 2013 using jameshfisher@gmail.com, an email address that Google considers the same as james.hfisher@gmail.com because of the infamous “dots don’t matter” feature that Google insists is a good thing for users.

A person with a similar name in a different state had used this email address to sign up for Netflix. When something went wrong with the billing, Netflix emailed the real Fisher, asking him to renew his credit card details, not knowing that someone else was behind the dotted version of the address.

As Fisher recalls, he was seconds away from renewing his credit card number – essentially supplying a valid payment for someone else’s Netflix service – when he noticed that something was amiss.

“The email is genuinely from netflix.com, so I clicked the link,” Fisher writes. “It logged me in and took me to an “Update your credit or debit card” page, which is genuinely hosted on netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as **** 2745. A card number I don’t recognize. Checking my records, I’ve never seen this card number. What’s going on?”

“I finally realized that this email is to james.hfisher@gmail.com. I normally use jameshfisher@gmail.com, with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don’t matter in Gmail addresses.”

He then demonstrates how a standard phishing scam could take advantage of this oversight between the two services. Indeed, it seems ridiculously easy to exploit and trick someone into paying for your Netflix membership.

Fisher condemns Google for keeping the “dots don’t matter” feature, even though the search giant itself once admitted that the feature could be “confusing” to users. He proposes amending the Gmail feature set but believes Google should retire the feature altogether.

Security heavyweight Bruce Schneier calls it “an example of two systems without a security vulnerability coming together to create a security vulnerability.” Indeed, neither service is to blame fully for this issue but, now that the word is out, maybe one of them will address it.

As a rule of thumb, be wary of any email asking you to renew billing information. This Gmail/Netflix mix-up is a perfect example of a phishing scam created out of thin air by exploiting legitimate functionality in disparate services. Always check that all personal information in the mail is legitimate, and never supply your credit/debit card details, or renew your password, before double checking that it is indeed necessary to make such changes.

Phishing remains one of the most popular attack vectors for bad actors, and the biggest threat to online services. Google itself conducted a study with the University of California, Berkeley revealing that phishing was the greatest threat to account-based online services in 2017.

Data compiled by experts in email analytics shows that 87.6% of root domains operated by top e-retailers in the US and EU are exposing their consumers to phishing scams.

About the author

Filip TRUTA

Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware, and security, and has worked in various B2B and B2C marketing roles. He likes fishing (not phishing), basketball, and playing around in FL Studio.

11 Comments

Click here to post a comment

  • Netflix and others can easily prevent this issue: they should require email verification on any new accounts during the registration process. This basic security step protects the email account owners AND their customers who could make typos when entering their email address, unknowingly giving account reset control to a third party.

    • Indeed, e-mail verification would prevent abuse, but some web services (and not only) put usability in front of security.

  • So 1. how did he get into someone else's Netflix account without a password? And 2. It's impossible for jameshfisher@gmail.com and james.hfisher@gmail.com to be different users since all dotted and undotted versions of your gmail are taken when your register it. https://support.google.com/mail/answer/7436150?hl=en

  • That is why I don’t use my gmail address for anything important. My gmail inbox receive E-mail meant for other people with the same first and last name as me. I just couldn’t believe what I receive!

    • Automatic login tokens. The URL in the mail automatically logs the user in. It's a technique similar to what happens when you forget your password: the website sends you a link that lets you login once without an username and password.

  • I don’t understand. How did he log into a Netflix account that was not his?

    Does the link in the Netflix email subvert any requirement to submit a password?

    If so that is more worrying than the initial “Dots don’t matter” email!

    • Hi there,

      The URL contains a token that lets the user in when the respective URL is accessed. This is a common practice in the industry and is pretty safe, provided that the user e-mail has been validated.

  • Google is not toch blame here… Does Netflix not verify your email address? Because that's the only way I can think of that would make this happen. Otherwise you'd not be able to complete registration with an email address that you do not own. If this is indeed the case then first and foremost someone at Netflix needs to be hit with a shovel. Then, someone should get around to fixing it where the problem actually exists (in Netflix).
    The same thing that happens with the dots could happen with capitals in email addresses, which will be converted into their lower case equivalent.

    • For Netflix, an address in the form of namesurname@ and name.surname@ are fundamentally different and would let you create two separate accounts. For Google, this is technically one inbox, as the dotted address redirects to the non-dotted one and vice-versa. Because Netflix does not require you to confirm ownership of the e-mail address the impersonator's account will send e-mail notifications to your inbox. The notifications include a tokenized parameter that lets you log in without knowing the impersonator's password to their account.

      The simple mitigation would be

      a) to require the user to validate / confirm their e-mail address (one extra hurdle for customers who sign up via smart TV or console, for instance)
      b) to NOT authenticate you into the account via e-mail link, but rather to redirect you to the account that is currently signed into the browser (again a big drawback if you are signed into the TV set's app but not into the TV set's browser).