(Very) poor Gmail security

Viewing 33 posts - 1 through 33 (of 33 total)
  • (Very) poor Gmail security
  • Premier Icon Trailrider Jim
    Subscriber

    Google freely admit that they have no way to stop other variations of a Gmail address receiving emails. For example, today I have received an email intended for someone else – it’s just their Gmail address doesn’t have a dot between the first name and last name, as mine does. I now know this person’s car’s VIN number. I find it staggering that Google have not plugged this massive security hole.

    Premier Icon Greybeard
    Subscriber

    Google’s servers ignore dots and always have; you can’t create an address that’s the same as another with different dots. It’s more likely that the other person has the same as you with a number (or a different number) and it’s been typed wrongly. You can’t blame Gmail, all they’re doing is delivering the mail to the address it was sent to, it’s the sender or whoever gave them the address that’s to blame.

    Premier Icon Drac
    Subscriber

    What GreyBeard said this is the equivalent of someone sending a letter to the wrong address.

    I am confused. Are you suggesting that if my address is frank.sintra@gmail and franksinatra@gmail accidentally gives out the wrong address to DVLA, Google should know that and intercept it? How does google know that it wasn’t me requesting the VIN?

    Premier Icon Trailrider Jim
    Subscriber

    you can’t create an address that’s the same as another with different dots

    So how come I was able to set up my firstname.lastname address when gmail launched 15 years ago but I’m receiving someone else’s emails addressed to the firstnamelastname version?

    So how come I was able to set up my firstname.lastname address when gmail launched 15 years ago but I’m receiving someone else’s emails addressed to the firstnamelastname version?

    It’s either spam, or they gave the wrong address/whoever they gave the address to read it wrong.

    amedias
    Member

    firstnamelastname IS your address (an auto-alias as gmail ignore the dot), it’s not that they have it and you’re getting their mail, it’s that they have a similar address but the sender mistyped it and sent it to you.

    I get sone guys Amex statements* and notifications, his email address has one letter different to mine and often people mistype it, I sometimes get other emails for him too, it’s not a gmail security hole, it’s a numpties sending emails to the wrong address security hole.

    * I’ve tried soooo many times to sort this but Amex are apparently incapable of either understanding or fixing it.

    Premier Icon Trailrider Jim
    Subscriber

    The email looked genuine regarding linking Gmail to the person’s mercedes me account. The email came from the @mercedes.me domain and as I mentioned lists the car’s VIN number. Seems odd the intended recipient would provide an incorrect email address.

    Premier Icon bails
    Subscriber

    Seems odd the intended recipient would provide an incorrect email address.

    They probably didn’t do it on purpose.

    Premier Icon bruk
    Subscriber

    I doubt they provided an incorrect email address. More likely the car dealers put it in wrong. When buying a company car, I once had the salesman ring me up and ask how to spell veterinary. This despite it being in the address I had given him to register the car and surely access to google! Bunch of numpties.

    Premier Icon dissonance
    Subscriber

    Seems odd the intended recipient would provide an incorrect email address.

    But will have been what happened, probably by mistake. Either misspelling it or missing a number from the end or similar.
    As others have said using . in a gmail address gets ignored (can be a semi effective way to identify sources of spam although depends on them not stripping it out).

    DickBarton
    Member

    The other could have been created as a googlemail address and when Google merged Gmail and Googlemail it all went to pot.
    I’m receiving similar stuff and they can’t stop it. I’d registered my address years ago, so it isn’t a new thing, but over the last year someone with a similar address has been doing a lot of renovation as a load of order confirmations for furniture and soft furnishings have arrived!

    Premier Icon miketually
    Subscriber

    Royal Mail freely admit that they have no way to stop other variations of a postal address receiving letters. For example, today I have received a letter intended for someone else – it’s just their address is slightly different to mine. I find it staggering that the Royal Mail have not plugged this massive security hole.

    Premier Icon Trailrider Jim
    Subscriber

    Ok, thanks all for the wise words. So as well as “dots don’t matter”, “no dots don’t matter” would also apply? I think I get it. Apologies for being thick.

    Premier Icon xora
    Subscriber

    Well the good news is you now have a free Mercedes if you want one 😀

    Given that some numpty gave you its login!

    Premier Icon Greybeard
    Subscriber

    So as well as “dots don’t matter”, “no dots don’t matter” would also apply?

    Correct – dots are ignored, so trail.rider.jim is treated as trailriderjim. But in this case, the email should probably have been sent to trailriderjim6, and the sender forgot the 6. I get invited to play rugby in Hong Kong due a similar error.

    Premier Icon tthew
    Subscriber

    Did you go? 😁

    Premier Icon thepurist
    Subscriber

    These kind of mistakes can have serious consequences – imagine mis typing Buttle instead of Tuttle.

    Premier Icon vinnyeh
    Subscriber

    kind of on the topic, you can add a modifier onto your email address (without creating a new email) using a “+” symbol and a few letters after it when you give it out, lets you filter/sort email easily, and determine who’s passing round your info.

    eg if you’re john.smith @ gmail.com, and sign up to stw as john.smith+stw @ gmail.com, any emails sent to that address will end up at john.smith @ gmail.com. If you start getting spam and in the header it’s been sent to john.smith+stw @ gmail.com, then you know who to blame..

    spekkie
    Member

    Funnily enough I have exactly the same problem.

    My gmail address is firstnamesurnameh at gmail.com (I’ve had this since gmail first started) lately I keep getting emails clearly meant for someone else.

    I was working out from the clues that the person concerned lived somewhere in Texas, has recently bought a new car, has applied for credit, has bought electrical goods with extended guarantees . . . Etc etc.

    Eventually I got an email meant for him that showed somewhere in it that his email address is firstnameDOTsurname at gmail.com (which shows that either you can create an address the same as an existing gmail address but with a dot in it, or you can’t, but he thinks he did?)

    Not sure if he ever gets mail meant for me . . . .

    Premier Icon bails
    Subscriber

    Eventually I got an email meant for him that showed somewhere in it that his email address is firstnameDOTsurname at gmail.com (which shows that either you can create an address the same as an existing gmail address but with a dot in it, or you can’t, but he thinks he did?)

    Not sure if he ever gets mail meant for me . . . .

    Correct, you can’t but he thinks he did.

    firstnamesurname @gmail.com is the same as firstname.surname @gmail.com so the two can’t exist as seperate mailboxes belonging to different people. Emails meant for him are being delivered to the email address he’s given people. Everything is working exactly as it should. Just like the woman who gave people my phone number instead of hers. I eventually found out that they were identical except for the last two digits, mine was “07XXXXXXX67” and hers was “07XXXXXXX76”. If someone sends her a text and it comes to me then it’s not the fault of Vodafone, or a massive security flaw in the mobile network, it’s just one user making a mistake.

    CountZero
    Member

    I now know this person’s car’s VIN number

    I’ve got easy access to several thousand car VIN numbers, as has anyone wandering around any public car park. Along with the car reg. number. Not sure what different it makes.

    eemy
    Member

    I received an email that contained some family photos (all clean), meant for someone with the same name as me who lives in New Zealand. So I sent them a family photo in return.
    You could always email them your VIN number.

    Premier Icon wwaswas
    Subscriber

    VIN number

    I bet everyone typing this also talks about PIN numbers.

    Grrrr.

    retro83
    Member

    DickBarton

    Member

    The other could have been created as a googlemail address and when Google merged Gmail and Googlemail it all went to pot.

    Don’t think you could mate, it was just a different domain name on the same system.

    Premier Icon simon_g
    Subscriber

    I’ve had dozens of these over the years. Mostly either misspellings or where they’ve had to stick a number on the end (because I got there first) and they forgot to include it.

    Ignoring dots in the address is not a security issue.

    nealglover
    Member

    So are we going with….

    “(Very) poor thread title choice”

    Premier Icon dissonance
    Subscriber

    (Very) poor thread title choice

    or “Keyboard-chair interface error”.

    Premier Icon Greybeard
    Subscriber

    The other could have been created as a googlemail address and when Google merged Gmail and Googlemail it all went to pot.

    As above, gmail and googlemail are the same, but there was initially a copyright issue or something in the UK and they couldn’t use gmail as their domain. My address still works with either domain.

    Premier Icon benp1
    Subscriber

    @vinnyeh

    eg if you’re john.smith @ gmail.com, and sign up to stw as john.smith+stw @ gmail.com, any emails sent to that address will end up at john.smith @ gmail.com. If you start getting spam and in the header it’s been sent to john.smith+stw @ gmail.com, then you know who to blame..

    Can you explain that a bit more please?

    Premier Icon dissonance
    Subscriber

    Can you explain that a bit more please?

    Gmail will effectively ignore anything after the + and still send it to johnsmith.
    So you can give singletrack @gmail.com">johnsmith+stw@gmail.com as your email address and pink bike @gmail.com">johnsmith+pink@gmail.com as your email.
    It will still get sent to @gmail.com">johnsmith@gmail.com but you would be able to see from the too address which variant it used. So if you suddenly start getting a bunch of emails to @gmail.com">johnsmith+dodgycompany@gmail.com you know they handed out that email to others.
    Of course, if the spammers are clever they can strip that out.

    Premier Icon Harry Tuttle
    Subscriber

    These kind of mistakes can have serious consequences – imagine mis typing Buttle instead of Tuttle.

    You called?

Viewing 33 posts - 1 through 33 (of 33 total)

You must be logged in to reply to this topic.