Gmail is the world’s most popular email service provider. First released to beta testers in 2004, it wasn’t offered as an official product until 2009. Despite the lengthy gestation period, Gmail’s rise has been swift. Today, there are 1.5 billion Gmail users, representing 20% of the global email market.
One of the more curious features of Gmail that has become more problematic over the years is how the platform treats dotted email addresses. Google disregards periods in the name part of the email address. In other words, “email@example.com”, “firstname.lastname@example.org”, and even “email@example.com” are all the same email address. Essentially, Gmail removes all dots from the email address when directing email to the appropriate inbox. Google touts this as a feature that will ensure delivery of your email even when the sender accidentally adds a period to your address. And it does come in handy when you are testing online services that require a unique email address to register: by adding periods to your email address, you satisfy the site’s requirement for a unique email address, even though all the verification emails will come to your one address.
Alas, hackers have begun actively taking advantage of this behavior. They have applied for credit cards, filed fraudulent tax returns, submitted fake social security applications, and applied for unemployment benefits and disaster relief funding. This subterfuge works because almost every other website considers the periods in the email address meaningful. Instead of ignoring them like Gmail does, most other sites regard “firstname.lastname@example.org” and “email@example.com” as entirely different email addresses. Because such websites regard these email addresses as different, they allow people to register distinct accounts using them. As part of the registration process, the sites send verification emails to the dotted email addresses, but, because Gmail ignores the periods, the verification emails all end up at one email address. This allows two things: a hacker can issue and control multiple fraudulent accounts from one Gmail address, or he can successfully sign up for an account that you, the victim, accidentally verify for him when you receive the verification email in your inbox.
Clearly, given how easily it is now being exploited, this Gmail “feature” was a poor design choice. Unfortunately, with such a vast community of customers worldwide, some of whom use the feature for legitimate reasons (such as having multiple github accounts, for example), Google can’t abandon this long-established behavior without seriously inconveniencing lots of folks.
So, as with so many things in cybersecurity, it is up to individual users to exercise caution. When you receive an email asking you to verify an account, make sure that you actually opened the account, and carefully check the targeted email address for extra periods. And, if you manage a site for which people register online, it might be a good rule to require additional authentication whenever a user tries to register with an email address that contains one or more dots. These small actions can help reduce the abuse and misuse of this particular Gmail feature.
Well-intentioned design choices sometimes have serious unintended consequences for cybersecurity. Dots just the way it is.