SSL and internet security news

gmail

Auto Added by WPeMatico

Obscure E-Mail Vulnerability

This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so bruce.schneier@gmail.com is the same as bruceschneier@gmail.com is the same as b.r.u.c.e.schneier@gmail.com. (Note: I do not own any of those email addresses — if they’re even valid.) Netflix doesn’t ignore dots, so those are all unique e-mail addresses and can each be used to register an account. This difference can be exploited.

I was almost fooled into perpetually paying for Eve’s Netflix access, and only paused because I didn’t recognize the declined card. More generally, the phishing scam here is:

  • Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.
  • Create a Netflix account with address james.hfisher.
  • Sign up for free trial with a throwaway card number.
  • After Netflix applies the “active card check”, cancel the card.
  • Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
  • Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.
  • Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.
  • Use Netflix free forever with Jim’s card **** 1234!

Obscure, yes? A problem, yes?

James Fisher, who wrote the post, argues that it’s Google’s fault. Ignoring dots might give people an enormous number of different email addresses, but it’s not a feature that people actually want. And as long as other sites don’t follow Google’s lead, these sorts of problems are possible.

I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who — if anyone — has the responsibility of fixing it.

Powered by WPeMatico

Google Login Security for High-Risk Users

Google has a new login service for high-risk users. it’s good, but unforgiving.

Logging in from a desktop will require a special USB key, while accessing your data from a mobile device will similarly require a Bluetooth dongle. All non-Google services and apps will be exiled from reaching into your Gmail or Google Drive. Google’s malware scanners will use a more intensive process to quarantine and analyze incoming documents. And if you forget your password, or lose your hardware login keys, you’ll have to jump through more hoops than ever to regain access, the better to foil any intruders who would abuse that process to circumvent all of Google’s other safeguards.

It’s called Advanced Protection.

Powered by WPeMatico