Google: Gmail 'Security Vulnerability' Can Trick Netflix Users Into Paying for Hackers' Accounts

Google apps
Google apps are shown on an Apple iPhone. Researcher James Fisher believes Gmail’s “dots don’t matter” policy is a security risk. REUTERS/Mike Blake

Google's Gmail service contains a suspected security vulnerability that could be exploited by hackers and email scammers to compromise Netflix accounts and steal sensitive user information, a web developer has claimed.

The issue takes advantage of the fact Google has a "dots don't matter" policy in how it processes email addresses. For example, it views "johnsmith@gmail" as being identical to "j.o.h.n.smith@gmail." To Netflix, on the other hand, both of those email addresses would be assigned to different accounts on its platform.

This results in an obscure but dangerous situation, computer expert James Fisher told Newsweek. Describing the find in a blog post published on April 7, he said that the issue nearly caused him to add his credit card details to a stranger's Netflix account and warned that most consumers may not be aware of the new threat.

He received an email from Netflix—which was legitimate—that was a notice for him to update his payment details. But upon inspection, Fisher noticed the intended recipient's email address was similar to his own, apart from one single dot.

"You might think this email should have bounced, but instead it reached my inbox, because 'dots don't matter in Gmail addresses,'" he wrote in the blog post.

As Netflix does not require users to verify their email addresses when they sign up, Fisher said it was then he realized it could be used to scam Gmail users.

"Consumers might be aware of the dangers of phishing, where an email looks like it's from Netflix, but actually it's from an attacker," he told Newsweek.

"But there's another—more subtle—form of phishing: where an email looks like it's from your Netflix account, but actually it's from an attacker's Netflix account," he said. "In my example, the attacker hopes to fool you into paying their Netflix bill, but the same scheme could be used to fool you into paying for more expensive services or handing out sensitive information.

"The attack is especially effective because it's not enough for the consumer to check that an email's sender is genuine. The consumer must also check that an email relates to their own genuine account, and not an attacker's."

Who Is Responsible?

According to Fisher, both Gmail and Netflix share blame for allowing the attack to take place, but he said Google should be more responsible in how it manages email accounts. He said the "dots don't matter" policy should be opt-out.

He wrote: "Some blame lies with Netflix, but I believe the main problem lies with Gmail, and specifically Gmail's 'dots don't matter' feature.

"The scam fundamentally relies on the Gmail user responding to an email with the assumption that it was sent to their canonical address, and not to some other address from their infinite address set. Gmail users should be able to opt out of dots don't matter. I wish for any mail sent to to bounce instead of reaching my inbox. The dots don't matter feature should be disabled by default."

The computer expert described how the process could work in reality:

Phishing process
Computer developer James Fisher shows how the Google Gmail scam would work in reality, step-by-step, in a blog post published April 7. James Fisher Blog

Google and Netflix did not respond to a request for comment. There is no suggestion that either service has been hacked or tampered with.

Creating a Threat

Cybersecurity expert and technologist Bruce Schneier said this week that the suspected Gmail vulnerability was subtle but potentially alarming.

"It's an example of two systems without a security vulnerability coming together to create a security vulnerability," he wrote in a Monday blog post. "As we connect more systems directly to each other, we're going to see a lot more of these.

"And like this Google/Netflix interaction, it's going to be hard to figure out who to blame and who—if anyone—has the responsibility of fixing it," Schneier added.

A Netflix return mailer is pictured in Miami, Florida, on January 16, 2007. Robert Sullivan/AFP/Getty