If your Netflix account is registered with a Gmail address, beware of any emails from Netflix asking you to renew your payment info. This, according to a developer who came within inches of paying someone else’s Netflix bill with his credit card number.
James Fisher signed up for Netflix in 2013 using firstname.lastname@example.org, an email address that Google considers the same as email@example.com because of the infamous “dots don’t matter” feature that Google insists is a good thing for users.
A person with a similar name in a different state had used this email address to sign up for Netflix. When something went wrong with the billing, Netflix emailed the real Fisher, asking him to renew his credit card details, not knowing that someone else was behind the dotted version of the address.
As Fisher recalls, he was seconds away from renewing his credit card number – essentially supplying a valid payment for someone else’s Netflix service – when he noticed that something was amiss.
“The email is genuinely from netflix.com, so I clicked the link,” Fisher writes. “It logged me in and took me to an “Update your credit or debit card” page, which is genuinely hosted on netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as **** 2745. A card number I don’t recognize. Checking my records, I’ve never seen this card number. What’s going on?”
“I finally realized that this email is to firstname.lastname@example.org. I normally use email@example.com, with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don’t matter in Gmail addresses.”
He then demonstrates how a standard phishing scam could take advantage of this oversight between the two services. Indeed, it seems ridiculously easy to exploit and trick someone into paying for your Netflix membership.