Maybe it’s because I’ve been talking to Karen Lopez recently, but I’ve been struck recently about how much data matters. Forget the new cliche that “data is the new oil”. Because really, it’s not just the data en masse that’s important, but also the way that it’s collected. Since Facebook has been in the news incessantly about data collection practices, let’s use them as a quick example. If an ad agency called you out of the blue and asked you for reams of personal information in exchange for coupons or some other pittance, you’d probably yell at them and hang up in disgust. But frame that collection around a social network with baby pictures and memes. All of the sudden you’re forking over personal information all day!
Bruce Schneier reveals the implication of this in a security context with the different way Google and Netflix handle dots (I guess technically periods) in email addresses. One of the “features” Gmail has long supported is ignoring all dots left of the @ sign in an email address. This can be a useful hack to create a “spam” signup address, just filter for [email protected] and all of the sudden you’re weeding out promotional junk.
But the problem arises when other services don’t recognize this. Netflix has a much more strict criteria for email addresses, recognizing each dot in an email as distinct regardless of placement. So a nefarious actor could sign up for a trial account using [email protected] When the trial expires and payment is required, Gmail accepts the derivative email address and routes it to their account. They could easily assume this is in regards to their account, update your credit card info, then be summarily locked out of the account.
As Bruce points out, the interaction of these two otherwise secure system creates the vulnerability in ways that their creators probably couldn’t have imagined. This isn’t an intractable problem. Google could make recognizing dots in addresses a configurable option deactivated by default, and Netflix could change how they process defaulted accounts. Who’s responsible for fixing this if/when it’s exploited? Probably your credit card processor at this point.
Who knew dots could cause such a conundrum?
Bruce Schneier comments:
I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who — if anyone — has the responsibility of fixing it.
Read more at: Obscure E-Mail Vulnerability
- AMD Plays the Long Hygon | Gestalt IT Rundown: July 11, 2018 - July 12, 2018
- AIRI: Converging FlashBlade into an AI Reference Architecture - July 12, 2018
- 2018 MacBook Pros Comes Closer to Earning Their Name - July 12, 2018
- The Path of an IT Influencer Starts with a Single Post - July 12, 2018
- Leon Adato – IT Origins - July 10, 2018
- John Welsh – IT Origins - July 5, 2018
- Covering All Your Storage Bases - June 28, 2018
- WPA3 Is Certifiable | Gestalt IT Rundown: June 27, 2018 - June 27, 2018
- IT Burnout is Inevitable – The On-Premise IT Roundtable - June 26, 2018
- Oksana Sokolovsky – IT Origins - June 21, 2018