Ready to Start Your Career?
By: Shaquib Izhar
April 26, 2018
Netflix Account Takeover Vulnerability
By: Shaquib Izhar
April 26, 2018
Netflix Account Takeover with Google Obscure Email Vulnerability
What is Obscure e-mail Vulnerability
Obscure email vulnerability in Gmail is an interaction between two different ways of handling e-mail addresses which means shaquibdexter@gmail.com would be same as shaquib.dexter@gmail.com and this is also the same as dexters.h.a.q.u.i.b@gmail.com. But in the case of Netflix, the company doesn't ignore the dotted part. All of them are a unique email address for Netflix and each one can be used for registering a new account. This means that this difference can be exploited via a takeover attack.The phishing part
Here is how the account takeover works.
- Try the Netflix signup form until you get a gmail.com address which is already registered by some user, for example, you find the victim shaquibdexter.
- It's important to note that spelling out googlemail.com can also be interpreted the same as gmail.com.
- Create a Netflix account with address shaquib.dexter
- Sign up for a free trial with any card number (that card should be a throwaway card).
- When Netflix applies the active card check, cancel the card.
- Wait for Netflix to bill the canceled card. Then Netflix will email shaquib.dexter asking for a valid card.
- Hope that Dexter will read that email to dexter.weesely, thinking it's for his Netflix account backed by shaquibdexter, then enters his card **4567.
- Change the email for the Netflix account to new@gmail.com, kicking shaquibdexter's access to this account.
- Use Netflix free forever with his card **** 4567!
Bonus *Cybrary Mashup*So these are resources that @ichiroshiro shared with you:Books
- allitebooks.com
- ebook777.com
- bookboon.com
- ebookscart.com
- pdfdrive.net
- techytalk.online
- null-byte.wonderhowto.com
- hackingtricktips.blogspot.com
- hacking-tutorial.com
