Maybe it’s because I’ve been talking to Karen Lopez recently, but I’ve been struck recently about how much data matters. Forget the new cliche that “data is the new oil”. Because really, it’s not just the data en masse that’s important, but also the way that it’s collected. Since Facebook has been in the news incessantly about data collection practices, let’s use them as a quick example. If an ad agency called you out of the blue and asked you for reams of personal information in exchange for coupons or some other pittance, you’d probably yell at them and hang up in disgust. But frame that collection around a social network with baby pictures and memes. All of the sudden you’re forking over personal information all day!
Bruce Schneier reveals the implication of this in a security context with the different way Google and Netflix handle dots (I guess technically periods) in email addresses. One of the “features” Gmail has long supported is ignoring all dots left of the @ sign in an email address. This can be a useful hack to create a “spam” signup address, just filter for [email protected] and all of the sudden you’re weeding out promotional junk.
But the problem arises when other services don’t recognize this. Netflix has a much more strict criteria for email addresses, recognizing each dot in an email as distinct regardless of placement. So a nefarious actor could sign up for a trial account using [email protected] When the trial expires and payment is required, Gmail accepts the derivative email address and routes it to their account. They could easily assume this is in regards to their account, update your credit card info, then be summarily locked out of the account.
As Bruce points out, the interaction of these two otherwise secure system creates the vulnerability in ways that their creators probably couldn’t have imagined. This isn’t an intractable problem. Google could make recognizing dots in addresses a configurable option deactivated by default, and Netflix could change how they process defaulted accounts. Who’s responsible for fixing this if/when it’s exploited? Probably your credit card processor at this point.
Who knew dots could cause such a conundrum?
Bruce Schneier comments:
I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who — if anyone — has the responsibility of fixing it.
Read more at: Obscure E-Mail Vulnerability
- Veeam Acquired by Insight Partners | Gestalt IT Rundown: January 15, 2020 - January 15, 2020
- Wi-Fi Monetization is Bad – The On-Premise IT Roundtable - January 14, 2020
- AI Patent Trolls | Gestalt IT Rundown: January 8, 2019 - January 8, 2020
- IT Certifications Are More Valuable Than A College Degree – The On-Premise IT Roundtable - December 24, 2019
- Predictions for 2020 - December 19, 2019
- 2019 in Review | Gestalt IT Rundown: December 18, 2019 - December 18, 2019
- The Promise of the Cloud Cannot Be Achieved – The On-Premise IT Roundtable - December 17, 2019
- India’s New Data Regulation Bill | Gestalt IT Rundown: December 11, 2019 - December 11, 2019
- Gestalt News for the Week of December 9, 2019 - December 9, 2019
- Machine Learning Dominates at AWS re:Invent 2019 | Gestalt IT Rundown: December 4, 2019 - December 4, 2019