Ready to Start Your Career?

Netflix Account Takeover Vulnerability

Shaquib Izhar's profile image

By: Shaquib Izhar

April 26, 2018

netflix-and-chill-takeover-attackNetflix Account Takeover with Google Obscure Email Vulnerability

What is Obscure e-mail Vulnerability
Obscure email vulnerability in Gmail is an interaction between two different ways of handling e-mail addresses which means would be same as and this is also the same as But in the case of Netflix, the company doesn't ignore the dotted part. All of them are a unique email address for Netflix and each one can be used for registering a new account. This means that this difference can be exploited via a takeover attack.
The phishing part 
Here is how the account takeover works.
  • Try the Netflix signup form until you get a address which is already registered by some user, for example, you find the victim shaquibdexter.
    • It's important to note that spelling out can also be interpreted the same as
  • Create a Netflix account with address shaquib.dexter
  • Sign up for a free trial with any card number (that card should be a throwaway card).
  • When Netflix applies the active card check, cancel the card.
  • Wait for Netflix to bill the canceled card. Then Netflix will email shaquib.dexter asking for a valid card.
  • Hope that Dexter will read that email to dexter.weesely, thinking it's for his Netflix account backed by shaquibdexter, then enters his card **4567.
  • Change the email for the Netflix account to, kicking shaquibdexter's access to this account.
  • Use Netflix free forever with his card **** 4567!

Bonus *Cybrary Mashup*So these are resources that @ichiroshiro shared with you:Books
Hope you enjoy all these resources :)- Ichiro
Schedule Demo