Maybe it’s because I’ve been talking to Karen Lopez recently, but I’ve been struck recently about how much data matters. Forget the new cliche that “data is the new oil”. Because really, it’s not just the data en masse that’s important, but also the way that it’s collected. Since Facebook has been in the news incessantly about data collection practices, let’s use them as a quick example. If an ad agency called you out of the blue and asked you for reams of personal information in exchange for coupons or some other pittance, you’d probably yell at them and hang up in disgust. But frame that collection around a social network with baby pictures and memes. All of the sudden you’re forking over personal information all day!
Bruce Schneier reveals the implication of this in a security context with the different way Google and Netflix handle dots (I guess technically periods) in email addresses. One of the “features” Gmail has long supported is ignoring all dots left of the @ sign in an email address. This can be a useful hack to create a “spam” signup address, just filter for [email protected] and all of the sudden you’re weeding out promotional junk.
But the problem arises when other services don’t recognize this. Netflix has a much more strict criteria for email addresses, recognizing each dot in an email as distinct regardless of placement. So a nefarious actor could sign up for a trial account using [email protected] When the trial expires and payment is required, Gmail accepts the derivative email address and routes it to their account. They could easily assume this is in regards to their account, update your credit card info, then be summarily locked out of the account.
As Bruce points out, the interaction of these two otherwise secure system creates the vulnerability in ways that their creators probably couldn’t have imagined. This isn’t an intractable problem. Google could make recognizing dots in addresses a configurable option deactivated by default, and Netflix could change how they process defaulted accounts. Who’s responsible for fixing this if/when it’s exploited? Probably your credit card processor at this point.
Who knew dots could cause such a conundrum?
Bruce Schneier comments:
I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who — if anyone — has the responsibility of fixing it.
Read more at: Obscure E-Mail Vulnerability
- Patent Peace in Our Time | Gestalt IT Rundown: April 17, 2019 - April 17, 2019
- The Cloud is Going to Disappear – The On-Premise IT Roundtable - April 16, 2019
- Gestalt News for the Week of April 15, 2019 - April 15, 2019
- Run, Google Cloud Run | Gestalt IT Rundown: April 10, 2019 - April 10, 2019
- Gestalt News for the Week of April 8, 2019 - April 8, 2019
- Intel Announces All The Things | Gestalt IT Rundown: April 3, 2019 - April 3, 2019
- Network Analytics Is Too Expensive – The On-Premise IT Roundtable - April 2, 2019
- Pwn2Asus | Gestalt IT Rundown: March 27, 2019 - March 27, 2019
- Gestalt News for the Week of March 25, 2019 - March 25, 2019
- Open Source’s Amazon Problem | Gestalt IT Rundown: March 20, 2019 - March 20, 2019