lauren@vortex.com
Date: Sat, 7 Apr 2018 18:40:51 -0700
NNSquad http://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user.html
Where is the security flaw here? Some would say it's Netflix's fault; that
Netflix should verify the email address on sign up. But using someone
else's address on signup only cedes control of the account to that
person. Others would say that Netflix should disallow the registration of
james.hfisher@gmail.com, but this would force Netflix and every other
website to have insider knowledge of Gmail's canonicalization algorithm.
Actually, the blame lies with Gmail, and specifically Gmail's "dots don't
matter" feature. The scam fundamentally relies on the Gmail user
responding to an email with the assumption that it was sent to their
canonical address, and not to some other address from their infinite
address set.
This has been a problem with Gmail for ages. Even if you are not scammed by crooks exploiting this, it can be a vector for yet more spam, not all of which Gmail will detect. Gmail users have long needed a way to control this feature, and to specify precisely which dotted forms should be considered as their valid Gmail addresses.