Dot to exploit

Till recent past we use to boast on our online registration process; though it’s not much unique but surely posses some additional features and follow common practice adopted globally for online registration. A verification email was send to the account provided during the registration process for validating the existence of the email address.

The process was fool proof and no bugs has been reported since the day it was deployed, but one day we observed that some 100 odd registration happening from a single domain i.e. @gmail.com the email addresses appeared to be fake but has qualified all the registration verification process. Prima-facie we couldn’t understand what went wrong and which loose ends exists in the system which someone had tried to exploit.

When I was sharing this issue with one my colleague; he told me that his account with GMAIL earlier had received mail which were not meant for him and he later learnt that placement of dot(.) for Gmail account is immaterial as far as location of dot(.) is concerned. I could not simply believe to my ears and to validate this I tried to create new account with the same username of myself by adding dot(.) at various locations, but to a surprise it always prompted for choosing a different user name stating the username already exists.

It took few seconds for us to identify the loophole exploiting which registration process was validated using practically different email accounts based on dot(.) location, but virtually same email account. For Gmail accounts firstnamelastname@gmail.com and firstname.lastname@gmail.com or for the matter of fact dot(.) at any place is immaterial and mail written to firstnamelastname are delivered to the closest match firstnamelastname and while delivering the email, Gmail ignores dot(.) location.

The conclusion was that for Gmail accounts dot(.) at any place is of no meaning but for most of the websites and email accounts they are different based on the character patterns.

Quickly we created a fix for this wherein the dot(.) Character needs to be ignored for checking existence of email especially if the account holder is of Gmail. This was a lesson learned for us and I’m sure that most of the website may not be aware of this logical bug for the email accounts. So if you are having any validation process based on distinct email accounts create a check for the dot(.) especially for accounts on Gmail.

The nature of the computer is such that it can act like a machine or language to be shaped and exploited.”

Image source: techpin.com
















2 comments:

  1. Superb finding.. Google should proactively trace you and reward you..

    ReplyDelete
  2. Thanks for sharing the technical knowledge sir and i am expecting more ..thanks sir ..its such a wonderful knowledgeable and practical post..

    ReplyDelete

I would like to have your Opinion on this. Please feel free to share your views!!!!