A Glitch in Gmail Could Expose You to Netflix Scammers

By Tom Pritchard on at

You may be aware that Gmail doesn't think dots are important, so if you have a dot in your email address it'll just ignore it and carry on as if it weren't there. So for instance, if I were to sign with tompritchard@gmail.com (that's not actually mine, don't send this account hate mail) emails sent to tom.pritchard@gmail.com would end up in my inbox. The problem is not everyone sees the world the way Google does, and doesn't ignore the fact dots can and do appear in email addresses. Netflix is one of them, and that opens up the possibility of being scammed.

This bug (which Google would probably dismiss as a feature, as you do) almost caught out developer James Fisher when Netflix sent him an email saying that his account was on hold and that he needed to update his payment method. The email was legitimate and actually came from Netflix.com, so it didn't raise any alarms. But when Fisher followed through with the update he noticed the credit card number associated with the account wasn't actually his. Then he noticed that the email itself wasn't his, but had arrived thanks to one of those pesky dots Gmail thinks aren't there. He wrote on his blog:

"I finally realized that this email is to james.hfisher@gmail.com. I normally use jameshfisher@gmail.com, with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don’t matter in Gmail addresses”

Because Fisher had access to the emails sent to james.hfisher, he was able to reset the

james.hfisher has created their Netflix account in September 2017, whereas Fisher himself has been subscribing since 2013. As it turns out, because you don't need to verify your email address before you start watching Netflix, someone could theoretically exploit these two pieces of information to trick someone else into paying for their Netlfix subscription. Fisher explains:

I was almost fooled into perpetually paying for Eve’s Netflix access, and only paused because I didn’t recognize the declined card. More generally, the phishing scam here is:

  1. Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher
  2. Create a Netflix account with address james.hfisher.
  3. Sign up for free trial with a throwaway card number.
  4. After Netflix applies the “active card check”, cancel the card.
  5. Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
  6. Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.
  7. Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.
  8. Use Netflix free forever with Jim’s card **** 1234!

As Fisher explains, because he 'owns' the james.hfisher account he has the power to reset the password (which he did), but once a scammer has got hold of your details they can simply change that and cut off your access meaning you'd have to cancel the card to cut off the scammer's access - though there's nothing stopping them from simply doing it again to someone else. With that in mind Fisher has called on Google to label the 'dots don't matter' idea as a misfeature, and take steps to make sure people can't be victim to this sort of thing in the future. He also acknowledged that some of the blame lies with Netflix, who released this statement to Trusted Reviews:

We are aware of this Gmail-specific feature and are actively working on measures to protect against it being used in a malicious way toward Netflix and our members. Netflix members who want to learn more about how to keep their personal information safe against scams and other malicious activity can go to netflix.com/security and should contact Customer Service immediately if they notice anything that is out of the ordinary with their account.”

So remember, kids, always be vigilant when you get emails asking for money - no matter how legitimate it may seem. The safest source of action of to ignore the links in the email itself and double check on your account manually. If the issue is still there, then you can fix it. If not, simple ignore that email like you would any other piece of spam. [James H Fisher via Trusted Reviews]

More Security Posts: