Engineers point out that Gmail's specification can be used for fraud



MacOS's Internet distribution application "Vidrio"Jim Fisher points out that there is a possibility of fraud by misusing the specification of Gmail. According to Mr. Fischer, actually using the specification of Gmail,NetflixI was able to send an e-mail asking "Please enter payment information for another user to use Netflix" to the authorized user.

The dots do matter: how to scam a Gmail user
https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user

According to Mr. Fischer, by using the method of fraud which he invented, it seems that Netflix successfully received the following mail from himself. In the mail actually received, it says "The account was suspended, please update the payment information because there was a problem with current payment information", and the mail was sent from Netflix without error And that.


And the contents written in this mail are facts, Netflix is ​​really sending to Mr. Fischer because there was a problem with "payment information". However, there was a problem with payment information, not Mr. Fischer's account. Mr. Fischer seems to register the account with "[email protected]" in Netflix, but this mail is sent to "[email protected]" which added ". (Period)" to Mr. Fischer's account It has been sent to. In other words, Netflix was not Mr. Fischer, but because the payment information of the user registered at "[email protected]" was incorrect, we sent a confirmation email.

Why this mail arrived at "[email protected]" is related to Gmail's specifications. In Gmail, even if ". (Period)" is added in the user ID, it is sent to the user ID that Gmail judged as correct.

Handling of periods with Gmail address - Gmail Help
https://support.google.com/mail/answer/7436150

Even if another user accidentally adds a period to the email address when sending mail to you, the mail will be delivered to your inbox. For example, if the e-mail address is "[email protected]", you also own the e-mail address containing the period as follows.

· [email protected]
· [email protected]
· [email protected]


Normally, if there is a difference in the presence or absence of ". (Period)" in the mail address, it means a different mail address. Naturally, since Netflix thinks it sent to different users, there is no way to know that mail addressed to "[email protected]" will reach Mr. Fischer.

Mr. Fischer points out that fraud could be established by misusing this Gmail specification. The following procedure assumes a case where Netflix is ​​made to pay regular users and wants to watch the program for free.

◆ Procedure
1. Continue to sign up Netflix until "registered" is displayed with the mail address of "gmail.com".
(Eg: "[email protected]" found as registered address)
2. The Netflix account with an address with a period added to the email address you found.
(For example: enter "[email protected]" as the e-mail address on the Netflix new account creation screen. When creating the account, the confirmation e-mail will not be sent with Netflix specification)
3. Register for a free trial with a fake credit card number.
4.Netflix cancels the card assuming that the credit card number is incorrect.
5. Netflix determines that the card number is incorrect, a mail address with a periodSend update email of payment information to.
(Netflix sends mail to [email protected])
6. Authorized user who received the mailMisunderstood that it is addressed to himself, enter the card number.
7. After confirming the input of the card number, enter the Netflix registration address with a periodFrom another address.
8. OthersYou will be able to watch Netflix with card information of.

Mr. Fisher pointed out that there is a problem with Netflix that it does not verify the mail address, but also pointed out that there is a problem with Gmail, "The majority of Gmail users have specifications that can be sent to addresses with a period There are a certain number of users who think that they need a function that can send even if the address contains a period, but there are many users who do not want it.Google , Users should be able to choose whether or not to send with a periodted address, at least I do not want it. "

in Web Service,   Security, Posted by darkhorse_log