The dots do matter: how to scam a Gmail user
https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user.html
Where is the security flaw here? Some would say it's Netflix's
fault; that Netflix should verify the email address on sign
up. But using someone else's address on signup only cedes
control of the account to that person. Others would say that
Netflix should disallow the registration of
james.hfis...@gmail.com, but this would force Netflix and
every other website to have insider knowledge of Gmail's
canonicalization algorithm. Actually, the blame lies with
Gmail, and specifically Gmail's "dots don't matter" feature.
The scam fundamentally relies on the Gmail user responding to
an email with the assumption that it was sent to their
canonical address, and not to some other address from their
infinite address set.
- - -
This has been a problem with Gmail for ages. Even if you are not
scammed by crooks exploiting this, it can be a vector for yet more
spam, not all of which Gmail will detect. Gmail users have long needed
a way to control this feature, and to specify precisely which dotted
forms should be considered as their valid Gmail addresses.
--Lauren--
Lauren Weinstein (lau...@vortex.com): https://www.vortex.com/lauren
Lauren's Blog: https://lauren.vortex.com
Google Issues Mailing List: https://vortex.com/google-issues
Founder: Network Neutrality Squad: https://www.nnsquad.org
PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility: https://www.pfir.org/pfir-info
Member: ACM Committee on Computers and Public Policy
Google+: https://google.com/+LaurenWeinstein
Twitter: https://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800
_______________________________________________
pfir mailing list
https://lists.pfir.org/mailman/listinfo/pfir
