Maybe it’s because I’ve been talking to Karen Lopez recently, but I’ve been struck recently about how much data matters. Forget the new cliche that “data is the new oil”. Because really, it’s not just the data en masse that’s important, but also the way that it’s collected. Since Facebook has been in the news incessantly about data collection practices, let’s use them as a quick example. If an ad agency called you out of the blue and asked you for reams of personal information in exchange for coupons or some other pittance, you’d probably yell at them and hang up in disgust. But frame that collection around a social network with baby pictures and memes. All of the sudden you’re forking over personal information all day!
Bruce Schneier reveals the implication of this in a security context with the different way Google and Netflix handle dots (I guess technically periods) in email addresses. One of the “features” Gmail has long supported is ignoring all dots left of the @ sign in an email address. This can be a useful hack to create a “spam” signup address, just filter for [email protected] and all of the sudden you’re weeding out promotional junk.
But the problem arises when other services don’t recognize this. Netflix has a much more strict criteria for email addresses, recognizing each dot in an email as distinct regardless of placement. So a nefarious actor could sign up for a trial account using [email protected] When the trial expires and payment is required, Gmail accepts the derivative email address and routes it to their account. They could easily assume this is in regards to their account, update your credit card info, then be summarily locked out of the account.
As Bruce points out, the interaction of these two otherwise secure system creates the vulnerability in ways that their creators probably couldn’t have imagined. This isn’t an intractable problem. Google could make recognizing dots in addresses a configurable option deactivated by default, and Netflix could change how they process defaulted accounts. Who’s responsible for fixing this if/when it’s exploited? Probably your credit card processor at this point.
Who knew dots could cause such a conundrum?
Bruce Schneier comments:
I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who — if anyone — has the responsibility of fixing it.
Read more at: Obscure E-Mail Vulnerability
- Disney Nonplussed | Gestalt IT Rundown: November 13, 2019 - November 13, 2019
- What’s the challenge of IPv6? Find out in Gestalt News - November 11, 2019
- Glass Effect | Gestalt IT Rundown: November 6, 2019 - November 6, 2019
- The Administrative Hurdle of IPv6 – The On-Premise IT Roundtable - November 5, 2019
- The Last JEDI | The Gestalt IT Rundown: October 30, 2019 - October 30, 2019
- Gestalt News for the Week of October 28, 2019 - October 28, 2019
- Microsoft’s First Movere Advantage | Gestalt IT Rundown: October 23, 2019 - October 23, 2019
- Storage: You Gotta Keep ’em Separated – The On-Premise IT Roundtable - October 22, 2019
- The latest takes from Commvault GO, Pure Accelerate and more! - October 21, 2019
- Sudon’t Make Me a Sandwich | Gestalt IT Rundown: October 16, 2019 - October 16, 2019