Netflix has acknowledged a security flaw that puts users who registered to the online streaming service using a Gmail account at risk of a phishing scam. The flaw utilizes a little-known Gmail feature in order to trick users into putting in their credit card information and paying for someone else’s Netflix subscription. This flaw is based on how Netflix and Gmail view dots in the email address. Gmail’s policy on dots in email addresses is to ignore them altogether, so that if someone adds or misses dots in an address the message will still get to the person they are addressing. This means for instance, that email@example.com and firstname.lastname@example.org are the same email address, as far as Gmail is concerned. This is, however, not the case with Netflix, which treats dots as an integral part of the email address, meaning that each of these variants can be associated with a different account.
The way this flaw works is that a scammer will use the signup page to find a Gmail address already registered and then add a dot to the address to create a new account. Then they will use a prepaid card as their payment method and once Netflix validates the card they cancel it. Once Netflix fails to bill the card they will then send an email to the victim asking them to update their payment method. The victim then puts their credit card info in and ends up paying for two Netflix accounts. One way to avoid becoming a victim of the flaw is to either not use a Gmail address with Netflix or to pay close attention to the email address Netflix is sending the email to. If you have not signed up to Netflix using a dot in you Gmail address and the email is addressed to your Gmail with a dot in it then disregard the email. Another is to not use any link in the email and to go to Netflix and login using your username/password to check your payment method. If everything checks out, disregard the email.