major gmail security vulnerablity discovered - caution - could effect other email id's as well

[Guest " "]

I sent gmail security an email warning of a security vulnerability. odds are that the email will not be acted on due to automation routing of such emails.

the issue. once a gmail id is identified, a malicous person can easily setup a shadow email address and start recieving email copies of emails intended for the target email id. identity theft information can be mined from such emails.

example of an identiy theft piece of information. userA does a forgot my password click on paypal. paypal sends a link to userA's mailbox. userA is supposed to click the link which takes him into paypal to complete the password change transaction. UserB recieves the email, also clicks the link, userB changes the password of userA, userB is now in userA's paypal account.

how is this done. userA establishes a new gmail email ID of superfly@gmail.com, gmail checks if the email name is in use, and if it is not, issues the email address of superfly@gmail.com. userB request a new gmail ID of super.fly@gmail.com, gmail checks to see if super.fly@gmail.com is issued and does not recognize superfly@gmail.com as a match and issues the email address of super.fly@gmail.com to userb.

both userA and userB recieve copies of emails intended for the other. an email to superfly@gmail.com will go to both superfly@gmail.com and super.fly@gmail.com.

Gmails position on this is that their email system does not recognize a "." in the username section of the email address.

obviously a security vulnerability that needs to be fixed.

may also effect other email systems.

I discovered a shadow email address of my accouunt which has been getting copies of all my emails.

[Dingman]

Are you sure about this, have you tested it? I've tested twice and in both cases, was not able to create a shadow account.

Once you find a shadow account, how do you know it is getting copies of emails, without logging onto the shadow account?

[Guest " "]

yes...I tested it...and sent the results to gmail security.

I duplicated it by creating new accounts and verified the problem. why. I was getting copies of all of someone else's emails and he was getting copies of all of mine. I investigated the issue and found the cause to be the inability of gmail to recognize a "." in a user name while at the same time during email name creation, gmail thinks a username with a dot is different than one with out a dot, so it does not show a "all ready in use...pick another new name" message.

[Dingman]

You are certainly correct in that emails sent to an address without dots show up in my account, one that does use dots.

However, testing with totally new accounts, I've been unable to create a shadow account.

Meaning that I created a new account with dots. Tried to create a shadow account without dots, gmail said no, account already exists.

So, I tried it the other way, created a new account without dots and then tried to create a shadow account with dots, same thing, no go.

It appears to me that google account creation doesn't recognize dots either. Maybe this is thier "fix".

Not good news, at any rate.

[Jay481985]

Wait a minute, this is what Google does to twart spam. I can use my email address and when I do not trust a website I can give them myfakeemail.spam@gmail.com and then if I get spam from them I set my filters to remove such spammer and know where it can go to.

http://support.google.com/mail/bin/answer.py?hl=en&answer=12096

[Guest " "]

mail sent to any of myfakeemail.spam@gmail.com, myfakeemailspam@gmail.com, myfakee.mailspam@gmail.com, my.fakeemail.spam@gmail.comwould be sent to all the indicated boxes.

[jacksonbart]

Top Notch

[Dingman]

Yes, that's true, the mail does goto all of those accounts.

My point is that you can't create any new accounts with a unique password in order to shadow an existing account.

I've tried it, twice, as mentioned above.

You say you've tested it, what am I doing differently?

More detail:

I created a new gmail account "testmeblind". Immediately afterword, attempted to create test.me.blind & couple of other variants. I could not create any other accounts for testmeblind, they all showed as being used.

I reversed the process and created another new account, using periods. Then tried to create variants... no go. Same result, others were listed as already being used.

??????????????????????????????????????????

[Dingman]

Well, I certainly appreciate the heads up on this - If indeed, at any time, shadow accounts were able to be created, it's a huge issue.

However, I have googled this quite a bit and most of the info is from more than several years ago (most from 2006 & 2007) and I couldn't confirm that shadow accounts were ever an issue.

I also personally have been unable to create a shadow account.

Therefore, I declare this issue solved and fixed until I see evidence to the contrary.