Netflix account takeover using Google Obscure email vulnerability




 What is Obscure email vulnerability

Obscure email vulnerability in Gmail is interaction between two different ways of handling e-mail addresses which means shaquibdexter@gmail.com would be same as shaquib.dexter@gmail.com and this is also same as dexters.h.a.q.u.i.b@gmail.com. But in case of netflix they don't ignore the dotted part so all of them are unique email address for netflix and each one can be used for registering a new account. So this difference can be exploited .

The phishing part 

  • Try the Netflix signup form until you get a
    gmail.com address which is already registered by some user, for example you find the victim
    shaquibdexter.

  •   Create a Netflix account with address shaquib.dexter

  •   Sign up for free trial with any card no (that card should be throwaway card).

  •   When Netflix applies the active card check, cancel the
    card.

  • Wait for Netflix to bill the cancelled card. Then Netflix
    will emails shaquib.dexter asking for a valid card.

  •   Hope that dexter will read that email to dexter.weesely, thinking it's for
    his Netflix account backed by shaquibdexter, then enters hiscard **4567.

  • Change the email for the Netflix account to new@gmail.com,
    kicking shaquibdexter's access to this account.

  •   Use Netflix free forever with his card **** 4567!

Comments

Popular posts from this blog

USB forensic : Find the history of every connected USB device on your computer

Crawling pastebin to find specific pastedump

Hack WinRAR password by using Brute force attack

Fileless malware Analysis with Cuckoo sandbox

Web application penetration testing: Tools and Techniques for web security auditing