Netflix Account Takeover Vulnerability

April 26, 2018 | Views: 4504

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Netflix Account Takeover with Google Obscure Email Vulnerability

What is Obscure e-mail Vulnerability

Obscure email vulnerability in Gmail is an interaction between two different ways of handling e-mail addresses which means shaquibdexter@gmail.com would be same as shaquib.dexter@gmail.com and this is also the same as dexters.h.a.q.u.i.b@gmail.com. But in the case of Netflix, the company doesn’t ignore the dotted part. All of them are a unique email address for Netflix and each one can be used for registering a new account. This means that this difference can be exploited via a takeover attack.

The phishing part 

Here is how the account takeover works.
  • Try the Netflix signup form until you get a gmail.com address which is already registered by some user, for example, you find the victim shaquibdexter.
    • It’s important to note that spelling out googlemail.com can also be interpreted the same as gmail.com.
  • Create a Netflix account with address shaquib.dexter
  • Sign up for a free trial with any card number (that card should be a throwaway card).
  • When Netflix applies the active card check, cancel the card.
  • Wait for Netflix to bill the canceled card. Then Netflix will email shaquib.dexter asking for a valid card.
  • Hope that Dexter will read that email to dexter.weesely, thinking it’s for his Netflix account backed by shaquibdexter, then enters his card **4567.
  • Change the email for the Netflix account to new@gmail.com, kicking shaquibdexter’s access to this account.
  • Use Netflix free forever with his card **** 4567!

Bonus *Cybrary Mashup*

So these are resources that @ichiroshiro shared with you:

Books

  • allitebooks.com
  • ebook777.com
  • bookboon.com
  • ebookscart.com
  • pdfdrive.net

Blogs

  • techytalk.online
  • null-byte.wonderhowto.com
  • hackingtricktips.blogspot.com
  • hacking-tutorial.com

Hope you enjoy all these resources 🙂

– Ichiro

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel