0P3N Blog Blog Post

Netflix Account Takeover Vulnerability

By: Shaquib Izhar
April 26, 2018

netflix-and-chill-takeover-attackNetflix Account Takeover with Google Obscure Email Vulnerability

What is Obscure e-mail Vulnerability
Obscure email vulnerability in Gmail is an interaction between two different ways of handling e-mail addresses which means shaquibdexter@gmail.com would be same as shaquib.dexter@gmail.com and this is also the same as dexters.h.a.q.u.i.b@gmail.com. But in the case of Netflix, the company doesn't ignore the dotted part. All of them are a unique email address for Netflix and each one can be used for registering a new account. This means that this difference can be exploited via a takeover attack.
The phishing part 
Here is how the account takeover works.
  • Try the Netflix signup form until you get a gmail.com address which is already registered by some user, for example, you find the victim shaquibdexter.
    • It's important to note that spelling out googlemail.com can also be interpreted the same as gmail.com.
  • Create a Netflix account with address shaquib.dexter
  • Sign up for a free trial with any card number (that card should be a throwaway card).
  • When Netflix applies the active card check, cancel the card.
  • Wait for Netflix to bill the canceled card. Then Netflix will email shaquib.dexter asking for a valid card.
  • Hope that Dexter will read that email to dexter.weesely, thinking it's for his Netflix account backed by shaquibdexter, then enters his card **4567.
  • Change the email for the Netflix account to new@gmail.com, kicking shaquibdexter's access to this account.
  • Use Netflix free forever with his card **** 4567!

Bonus *Cybrary Mashup*So these are resources that @ichiroshiro shared with you:Books
  • allitebooks.com
  • ebook777.com
  • bookboon.com
  • ebookscart.com
  • pdfdrive.net
Blogs
  • techytalk.online
  • null-byte.wonderhowto.com
  • hackingtricktips.blogspot.com
  • hacking-tutorial.com
Hope you enjoy all these resources :)- Ichiro

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry