A developer discovered that Gmail's email processing feature created a convenient phishing site to attack Netflix customers.

The problem is that Netflix, like most systems, recognizes dots in email handles (so richardchirgwin and richard.chirgwin are different accounts) - but Gmail doesn't support it.

Over the weekend, developer James Fisher described his experience here: he has been working fromNetflix Received a letter sent tojames.hfisher@gmail.com of legitimate email, saying that Gmail helped redirect it to his pointless account.

Since the email arrived in the correct inbox and it did come from Netflix, Fisher was more receptive to requests to update his details.

If someone accidentally adds the dot to your address, Gmail will still send you that email. For example, If your email address isjohnsmith@gmail.com, then you have all the dashed versions of the address.

john.smith@gmail.com jo.hn.sm.ith@gmail.com j.o.h.n.s.m.i.t.h@gmail.com

Fisher writes that this creates phishing vectors: if an attacker tries multiple times, they'll find a Netflix account that already has a Gmail registration and can register another account with additional points in the Gmail address.

If an attacker signs up with a "one-time" card number and then cancels the card, Netflix will request a valid card from the "real" Gmail account holder via email. All the attacker needs is for the receiver to pay for his stream without noticing the difference, thus tricking the receiver into paying for it.

Security expert Bruce Schneier commented on the subtlety of the issue: "This is an example of two systems that have no security vulnerabilities but were created together to create a security breach. "

Fisher suggested two solutions: Google might warn Gmail users that emails have been sent to "non-standard" addresses, and should give users the option to opt out of the "Point Irrelevant" feature.

He added that he thought the feature should be removed. However, Google has promoted it as a useful feature.

Recommended>>
1、torcs intensive learning driving training video 1
2、javascripts replace regular implements ES6 string templates
3、Inventory TOP49 Common APIs for Artificial Intelligence
4、MSBUILD command line compile please note that msbuild file name or space in the route to cause errors
5、Deep Learning Target Detection 3 YOLO1SSD

已发送

发送中