Gmail ignores any dots you put in the address, but other sites don't. For example, the blogger got a link that allowed him into someone else's Netflix account because an e-mail notification (saying updated credit card info was needed) was sent to his e-mail address. Basically, he'd registered his account with a dot-less address ( Someone else registered an account with james.hfisher, and viola. Netflix sees them as separate, Gmail doesn't.

The result is a pretty insidious kind of fishing: the e-mail looks like it's legitimately from Netflix, because it is. And because Netflix sends a pre-authenticated link, he didn't have to enter a password. From this, it seems like a good way to scam someone into paying for your Netflix account:

    1. Hammer the Netflix signup form until you find a address which is “already registered”. Let’s say you find the victim jameshfisher.

    2. Create a Netflix account with address james.hfisher.

    3. Sign up for free trial with a throwaway card number.

    4. After Netflix applies the “active card check”, cancel the card.

    5. Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.

    6. Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card 1234.

    7. Change the email for the Netflix account to, kicking Jim’s access to this account.

    8. Use Netflix free forever with Jim’s card 1234!

posted by johnnyFive: 311 days ago