The Security Problem of Email Dots

Maybe it’s because I’ve been talking to Karen Lopez recently, but I’ve been struck recently about how much data matters. Forget the new cliche that “data is the new oil”. Because really, it’s not just the data en masse that’s important, but also the way that it’s collected. Since Facebook has been in the news incessantly about data collection practices, let’s use them as a quick example. If an ad agency called you out of the blue and asked you for reams of personal information in exchange for coupons or some other pittance, you’d probably yell at them and hang up in disgust. But frame that collection around a social network with baby pictures and memes. All of the sudden you’re forking over personal information all day!

Bruce Schneier reveals the implication of this in a security context with the different way Google and Netflix handle dots (I guess technically periods) in email addresses. One of the “features” Gmail has long supported is ignoring all dots left of the @ sign in an email address. This can be a useful hack to create a “spam” signup address, just filter for [email protected] and all of the sudden you’re weeding out promotional junk.

But the problem arises when other services don’t recognize this. Netflix has a much more strict criteria for email addresses, recognizing each dot in an email as distinct regardless of placement. So a nefarious actor could sign up for a trial account using [email protected]. When the trial expires and payment is required, Gmail accepts the derivative email address and routes it to their account. They could easily assume this is in regards to their account, update your credit card info, then be summarily locked out of the account.

As Bruce points out, the interaction of these two otherwise secure system creates the vulnerability in ways that their creators probably couldn’t have imagined. This isn’t an intractable problem. Google could make recognizing dots in addresses a configurable option deactivated by default, and Netflix could change how they process defaulted accounts. Who’s responsible for fixing this if/when it’s exploited? Probably your credit card processor at this point.

Who knew dots could cause such a conundrum?

Bruce Schneier comments:

I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who — if anyone — has the responsibility of fixing it.

Read more at: Obscure E-Mail Vulnerability

About the author

Rich Stroffolino

Rich has been a tech enthusiast since he first used the speech simulator on a Magnavox Odyssey². Current areas of interest include ZFS, the false hopes of memristors, and the oral history of Transmeta.