Netflix has acknowledged a security flaw that puts users who registered to the online streaming service using a Gmail account at risk of a phishing scam. The flaw utilizes a little-known Gmail feature in order to trick users into putting in their credit card information and paying for someone else’s Netflix subscription.
For daily updates, subscribe to our newsletter by clicking here.
“We are aware of this Gmail-specific feature and are actively working on measures to protect against it being used in a malicious way toward Netflix and our members,” a spokesperson for Netflix said in an email sent to Calcalist on Monday.
The security flaw was first made public by U.S.-based software developer Jim Fisher in a blog post published on Saturday. After receiving a message from Netflix to his Gmail inbox urging him to update his credit card information and almost doing so, Mr. Fisher realized the listed email address differs from his own, containing an extra dot.
Gmail’s policy on dots in email addresses is to ignore them altogether, so that if someone adds or misses dots in an address the message will still get to the person they are addressing. This means for instance, that email@example.com and firstname.lastname@example.org are the same email address, as far as Gmail is concerned. This is, however, not the case with Netflix, which treats dots as an integral part of the email address, meaning that each of these variants can be associated with a different account.
When setting up a new account on Netflix, the website requires no email verification, so that anyone can sign up with any email address, even if they do not own it. According to Mr. Fisher, following the link within the email, he could change the billing information without needing to log in, so that an unsuspecting user may find themselves unwittingly paying for somebody else’s Netflix account.
Here is how it works according to Mr. Fisher—the scammer uses Netflix’s sign up form to find a Gmail address that is “already registered”. Then, adding a dot to the username, they use it to set up a new account listing a prepaid debit card as their payment method. Once the card is validated by Netflix the scammer cancels the card and when Netflix attempts to bill it, the victim receives an email message telling them to update their credit card information. If the victim takes the bait, the scammer can subsequently change the email address associated with their account, revoking the victim’s access to it, but leaving them with the bill.