GMail Security Flaw

[oliciv]

http://slashdot.org/articles/06/01/22/1921241.shtml

An anonymous reader writes "Google doesn't make many mistakes but when it does, boy, are they doozies! The latest is that Gmail doesn't care about periods in usernames. So mail sent to [email protected] is also delivered to [email protected], even though these are two separate mail accounts. Google admits Gmail doesn't see periods, but no word on a fix yet."

 

[dgridley]

I used to have a "dotted" gmail address.. thankfully I don't any longer! Wonder how much of my tons of "spam" got sent to the other address as well?

 

[Momo]

It's incredible how they could make a mistake such as that. If Gmail couldn't see periods, they shouldn't have allowed username signups with periods in the first place

 

[Epic]

I have a dotted adress...I don't think there's an undotted version of mine though

 

[user-7256]

Uh oh, my primary personal address has a dot in it... I better register the one without the dot too!

 

[LeetPCUser]

That is pretty amazing. You would think they would test things like that. I wonder how someone figures that out, lol. Too much time on their hands?

 

[smub]

i know that fault already

but there is still one problem ... i dont think there is anybody else who have my email but every day i recieve about 100 + spam

 

[The Equivocate]

AHA! This explains why I keep getting emails addressed to a "Martin Reddington" with my email having a dot in it (m.reddington)

 

[nick-8318]

i recieve 0 spam

 

[weblord]

glad that my gmail address has no dots on it and i kept it clean because of the 100 displays per page. lol

 

[Keral_Patel]

Is this viceversa????

I have a address without dot. But then gmail would not put a dot in between and send it to the dotted one also. If this starts happening my GoDaddy account. My paypal all gets into mess.

Going right now to reg my dotted version also.

 

[gamehouse]

Wait a second, I understand it differently from the page on gmail.

Gmail doesn't recognize dots (.) as characters within a username. This way, you can add and remove dots to your username for desired address variations. messages sent to [email protected] and [email protected] are delivered to the same inbox, since the characters in the username are the same.

As you can read, both emails will be sent to the same inbox. I have a dot in my email and to test this, I tried to register the same address without dot in it, and gmail said it is taken. Now my email address is not simple and chances are very less that somebody took it.

So I went further and took a random name jxyzsmith and registered [email protected] and then try to register [email protected], voila, it is not available. Which should clear all the doubts.

Good luck,

Gamehouse

 

[RJ]

Can anyone explain why this would need to be fixed? They promote this as a feature on their site, as gamehouse pointed out.

 

[weblord]

the way i see it if i someone emails [email protected] it will also be sent to [email protected], and to the following as well:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected] so on and so forth? is that what oliciv is saying? that's ridiculous you're helping out a spammer on this setup

 

[oliciv]

Can anyone explain why this would need to be fixed? They promote this as a feature on their site, as gamehouse pointed out.

I believe it has been fixed now, but different people used to be able to register dotted and non dotted versions of a username - those who still have these similar accounts still recieve eachothers email.

 

[weblord]

hi, got some reference urls so we know also how and when it was fixed? thanks.

 

[manic000]

This is nothing new, I remember reading the explanation when creating an account I have had since 2004. It is a feature, not a security flaw..

Lets say Bob Dobbs signs up as [email protected], if GMail "saw" the period and someone mistakenly sent something to [email protected] it would either get bounced back or go to the wrong person if [email protected] existed. Weblord is correct that the period can be anywhere in the name.

You can also create filters based on the different variations so mail to [email protected] could be sorted differently than [email protected] or [email protected].

Also something similar, you receive any mail sent to yourname+anything, for example [email protected], create a namepros label and filter mail sent to that address into the label.

 

[weblord]

i like that feature sort of a "catch-all" email account

 

[jeter4982]

Thats pretty funny that everyone was panicing about this "flaw", when it fact it is a feature. It just wouldn't make sense for Google to test something like that...

Tom