Gmail’s Dots Are a Bug, Not a Feature

Dots matter

Google’s email platform has more than a billion active monthly users as of the last count in February 2016, which is why the recent discovery of a Gmail vulnerability should be cause for concern for the entire Internet.

The exploit uses a feature called “dots don’t matter,” which ironically was developed by Google as a security measure. In the simplest terms, anyone with a Gmail account also has access to every possible variation using dots; e.g. johndoe@gmail.com, john.doe@gmail.com, j.o.h.n.d.o.e@gmail.com all go to the same account.

The problem, and it’s a big one, is that this behavior is specific to Gmail, and not to the rest of the Internet. While services like Gmail and Facebook may filter out dots, other services do not—meaning that john.doe@gmail.com and johndoe@gmail.com would be treated as two separate people/accounts on many services and sites that require a login/password combination. This goes for major email service providers like iCloud, Yahoo Mail, and Outlook, as well as services such as Netflix, which is where “dots don’t matter” goes from being a feature to a security issue.

Columnist Jim Fisher recently described how he almost fell for a scam that targeted his Netflix account. He got an email notifying him that his credit card had expired. After confirming the email definitely came from Netflix, he noticed something odd. The last 4 digits of the card on file were wrong. He uncovered the following scam, as detailed below :

  • “Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.
  • Create a Netflix account with address james.hfisher.
  • Sign up for free trial with a throwaway card number.
  • After Netflix applies the “active card check”, cancel the card.
  • Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
  • Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.
  • Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.
  • Use Netflix free forever with Jim’s card **** 1234!

While footing the bill for someone else’s Netflix account may not rank up there with the Equifax breach, it’s still relevant for the following reasons:

  • This is just the first documented exploit of a potential vulnerability: Scammers are extremely inventive when it comes to putting a new spin on old tricks and it would come as a surprise if this didn’t spark a variety of take-over tactics.
  • The scam uses your real email address and comes from a legitimate sender: The telltale signs of a phishing scam don’t apply here, making it harder for systems and people alike to identify a scam in progress. If Fisher hadn’t bothered to check the last 4 digits on file, no one would have been the wiser.
  • This isn’t a vulnerability that can be easily addressed, if it can be fixed at all: Gmail has over a billion users, Netflix has 118 million. Having either of them modify how they handle users’ primary means of identification (the email address) to accommodate the other would take an extraordinary amount of upheaval and disruption to their services.

Time will tell how this will play out, but in the meantime, check and double-check any email you receive via Gmail that’s requesting an updated payment method before you enter in your information.