Security: Dots May Not Matter in Gmail Addresses, But They Matter to Your Application Design

If you manage applications, you may encounter users who register multiple accounts using variations of the same Gmail address (or other email providers with a similar feature). This allows them to exploit your account creation process without needing to create entirely new email addresses.

As Google explains: Dots don't matter in Gmail addresses

Screenshot from Google Article

While this may seem like a minor issue, it can have significant implications for your application. When performing duplicate account checks, simply relying on a unique index in your database is insufficient. To safeguard your application, ensure that you normalise email addresses by removing dots in the local part before conducting duplicate checks. This small adjustment can prevent exploitation and maintain the integrity of your user database.

Disclosure: This entry is based on a collection of my personal notes, and some of the information may be outdated or no longer relevant. If you notice any inaccuracies, please let me know in the comments. I appreciate your feedback and will correct the entry as needed. :)

Comments

Post a Comment

Popular posts from this blog

Words: You Aren't Gonna Need It (YAGNI)

Another daily muse. It’s not surprising that our technical team continues to discover unused functions within a particular feature library. Although the names of these functions may sound promising, the logic inside is often outdated, as they haven’t been refactored to align with the current context of the feature. Some of these functions were written ages ago. This is where I need to borrow a concept from my university days, when my mates and I often applied Extreme Programming (XP) principles in our software projects. The core idea: Don’t add functionality until it’s actually needed. This is essentially the You Aren't Gonna Need It (YAGNI) philosophy. To quote Ron Jeffries, a co-founder of XP, as taken from Wikipedia: "Always implement things when you actually need them, never when you just foresee that you [will] need them."
Read more

Words: Domain-Driven Development

Today, I stumbled upon a simple read on Reddit that serves as a reminder for both new and seasoned programmers about the importance of Domain-Driven Development (DDD). The post shared this article by Google: Write Change-Resilient Code with Domain-Driven Design . While it just touches on DDD, it's good enough to raise awareness. In case DDD is new to you, here’s a brief description from Wikipedia: Domain-Driven Development is a major software design approach that focuses on modeling software to match a domain based on input from that domain’s experts. DDD opposes the idea of having a single, unified model. Instead, it divides a large system into bounded contexts, each with its own model. For a more in-depth exploration of DDD, here are some useful articles: DDD 101: The 5-Minute Tour Domain-Driven Design (DDD) From my perspective, the DDD concept allows for simpler collaboration between technical teams and domain experts through the use of a consistent language. It also reduces th...
Read more

Words: Chaos Engineering

"Chaos Engineering" is a rather cool IT discipline, but I haven't had the privilege of implementing it—perhaps because the systems I work with are never complex enough to require such a high degree of redundancy. Essentially, chaos engineering involves testing a system by introducing controlled faults or failures to identify its weaknesses and ensure it can handle unexpected disruptions. Examples of Chaos Engineering : Killing servers or nodes in a High Availability configuration to see if the service continues to run as expected. Introducing latency between servers/nodes (in a microservices environment) to observe how the system handles slow communication. Why It’s Important : Proactive Resilience : It helps you uncover weaknesses before they escalate into actual incidents, enabling teams to build more resilient systems. Improved Incident Response : By simulating real-world failures, teams gain valuable experience in handling outages, making them better equipped to resp...
Read more