So many websites have incredibly shitty "security features" and incredibly shitty code. Recommend against using +plus addressing if there is a possibility you'll need to get in touch with support for a website for any reason, and I have a cautionary tale. This is absolutely true, and it's very painful. >Also, you'll rarely have to email companies, but it is a pain if you need to do it from the +plus email. * Use Netflix free forever with Jim’s card 1234!Įither they're both security liabilities, and they should both be removed, or the problem lies elsewhere.
* Eve changes the email for the Netflix account to kicking Jim’s access to this account. * Hope Jim reads the email to jameshfisher+netflix, assumes it’s for his Netflix account backed by jameshfisher, then (follows a link in the email and) enters his card 1234. Then Netflix emails jameshfisher+netflix, going to jameshfisher's inbox, asking for a valid card. * Wait for Netflix to bill the cancelled card. * After Netflix applies the “active card check”, Eve cancels the card. * Sign up for free trial with a throwaway card number.
* Eve creates a Netflix account with address jameshfisher+netflix Let’s say you find the victim jameshfisher. * Hammer the Netflix signup form until you find a address which is “already registered”. Absolutely - his proposed solution - disabling the dots-dont-matter feature and retiring them does nothing to stop this exact same attack vector instead employing the '+' feature that he admires and wishes to retain.
0 kommentar(er)
