Obscure E-Mail Vulnerability

Аватар пользователя schneier
Автор: Шнайер Брюс,
(0)
()
Об авторе: 
Американский криптограф, доктор в области компьютерных наук и популярный автор книг по ИБ. Основатель криптографической компании Counterpane Internet Security. Ранее работал на Министерство обороны США.

This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so bruce.schneier@gmail.com is the same as bruceschneier@gmail.com is the same as b.r.u.c.e.schneier@gmail.com. (Note: I do not own any of those email addresses -- if they're even valid.) Netflix doesn't ignore dots, so those are all unique e-mail addresses and can each be used to register an account. This difference can be exploited.

I was almost fooled into perpetually paying for Eve's Netflix access, and only paused because I didn't recognize the declined card. More generally, the phishing scam here is:

  • Hammer the Netflix signup form until you find a gmail.com address which is "already registered". Let's say you find the victim jameshfisher.
  • Create a Netflix account with address james.hfisher.
  • Sign up for free trial with a throwaway card number.
  • After Netflix applies the "active card check", cancel the card.
  • Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
  • Hope Jim reads the email to james.hfisher, assumes it's for his Netflix account backed by jameshfisher, then enters his card **** 1234.
  • Change the email for the Netflix account to eve@gmail.com, kicking Jim's access to this account.
  • Use Netflix free forever with Jim's card **** 1234!

Obscure, yes? A problem, yes?

James Fisher, who wrote the post, argues that it's Google's fault. Ignoring dots might give people an enormous number of different email addresses, but it's not a feature that people actually want. And as long as other sites don't follow Google's lead, these sorts of problems are possible.

I think the problem is more subtle. It's an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we're going to see a lot more of these. And like this Google/Netflix interaction, it's going to be hard to figure out who to blame and who -- if anyone -- has the responsibility of fixing it.

Оцените материал:
Total votes: 42
 
Комментарии в Facebook
 

Вы сообщаете об ошибке в следующем тексте:
Нажмите кнопку «Сообщить об ошибке», чтобы отправить сообщение. Вы также можете добавить комментарий.