In the email security community, the use of confirmed opt-in has long been a recommended practice: an email address given to you can’t be used until the account owner has confirmed (by clicking a link in or replying to a confirmation email) that they do indeed own that email address. When email service provider
Mailchimp
removed confirmed opt-in as the default for its customers, it received
strong criticism
, and VB has, in the past, found a
positive correlation
between newsletters that use a confirmed opt-in procedure and their delivery rates.
Though receiving unwanted email because someone has accidentally signed up to a newsletter using your email address may be a relatively rare occurrence, there are more important security reasons that make confirmed opt-in an absolute must.
A few years ago, it was discovered that
Skype
‘s
failure
to validate email email addresses could lead to account hijacks. Now a researcher has
found
a way to use
Netflix
‘s lack of verification, combined with the fact that
Gmail
ignores dots in email addresses, to trick someone else into paying for your
Netflix
subscription.
The proof-of-concept involves finding a
Gmail
address that is used for a
Netflix
subscription, then registering a new account with a few dots added or removed and using a throwaway credit card, which is subsequently cancelled.
Netflix
will then send an email asking for a card update, which the original user, being a
Netflix
subscriber, may take to be a legitimate request.
I think it is unfair to blame this on
Gmail
and its decision to make
[email protected]
and
[email protected]
go to the same mailbox. There are many other ways in which different addresses can lead to the same mailbox.
Netflix
, which tends to a have a good security reputation in general, should simply follow a long established best practice and verify those email addresses, even when people only sign up for a free trial.
Leave a Reply