Distinct Apple IDs for the same GMail account
Written on 28 January 2017, 02:45pm
It’s probably well known by now the fact that when you create a GMail account, any periods (dot characters) in your username will be ignored by GMail:
If you have a personal account (typically ending in gmail.com), it doesn’t matter if people type the period in your username or not.
For example, emails to all of these addresses will be delivered to the same Gmail account:
johnsmith@gmail.com
jo.hn.smith@gmail.com
john.smith@gmail.com
https://support.google.com/mail/answer/10313?hl=en
What is the impact of this feature on the creation of new Apple IDs?
Well, for Apple the 3 email addresses above are distinct, so they will allow to create 3 separate Apple IDs with the 3 email addresses. During the Apple ID registration process, an email with the subject Verify your Apple ID email address
will be sent to confirm the ownership of the email address. Naturally, in all the 3 cases above, the 3 emails will be delivered to the same GMail account.
This is already a bit awkward, but I guess it’s something that does not create any problems, so Apple had no reason to work around it.
The real problem is described below.
The facts
My wife has the Apple ID jane.doe@gmail.com
. I’ll obviously not publish the real one, but it has a dot between the first name and the last name.
On 28/01/2017, between 2:31 and 3:45 CET she receives 21 email messages from Apple appleid@id.apple.com
sent to Janedoe janedoe@gmail.com
in Spanish. These emails are not for her: notice the lack of dot in the To:
field. However, the first name and last name were correct, even if they were in one word:
In the middle of that email strings, at 3:36 CET she receives another email from Apple noreply@email.apple.com
sent to Janedoe janedoe@gmail.com
, still in Spanish, with the message that the Apple ID was used to sign up on iCloud on a new device. Again, an email not for her (notice the lack of dot in the email) but with an identical device (model and iOS version). The Apple address in the footer, different from the one in the first email, made things look a bit odd:
In the morning, at 9:25 I changed the password for my wife’s Apple ID jane.doe@gmail.com
. The two factor authentication was already enabled, so I was not worrried.
To my surprise, two more emails similar to the first 21 were received at 10:01 and 10:48.
At 11:52 I got in touch with Apple Support by phone, confirming that janedoe@gmail.com
and jane.doe@gmail.com
are pointing to different Apple IDs. Naturally, for privacy reasons, the support representative could not give me any information about the other Apple ID.
I also reported the problem on Twitter.
I made some tests myself: I created two test Apple IDs by using a GMail address with the dot placed in 2 different positions. Compared to the first email – which had the subject ‘Verify your Apple ID’, this email had the subject ‘Verify your Apple ID email address’ and it was sending a 6-digits confirmation code:
I also used this form, to confirm that both jane.doe@gmail.com
and janedoe@gmail.com
are valid Apple IDs, both associated with the first name and last name of my wife:
The questions
I am a bit puzzled by the entire situation. I am confident that there was no phishing attempt (despite the different ‘From:’ fields and the different Apple addresses in the footer) and I am also confident that the Apple ID of my wife is not compromised (just changed the password + have two factor authentication). But I still don’t understand a few things:
1. how was the email address janedoe@gmail.com
associated with an Apple ID in the first place, without my wife receiving any confirmation email?
2. what is the action that triggered the strings of emails sent to my wife?
I tried a few scenarios (changing the primary email, adding a secondary email and adding a rescue email to my ‘test’ account), but all of them triggered emails with verification codes, nothing similar to the email in the first screenshot.
The most plausible answer so far would be that the janedoe@gmail.com
Apple ID was created long time ago, when email verification was not necessary (I don’t know if this was ever possible), and that the person that created it has (by coincidence) the same first name and last name as my wife.
I have no conclusion to this. Hopefully Apple will clear things out. I’ll update this post as soon as I’ll have more information.
Updates
Update 29/01/2017: AppleSupport was really friendly on Twitter. Waiting for someone to call me.
I had another look at the links in the first email (forensic analysis FTW 🙂 ); I can see the following format:
https://id.apple.com/cgi-bin/verify.cgi?language=ES-ES&key={key}&type=DFT&_C=ESP&_L=es_ES
This redirects to
https://id.apple.com/IDMSEmailVetting/vetemail.html?app_type=ext&key={key}
Here the email address janedoe@gmail.com
is pre-filled, and is asking for the password:
It’s strange because I could not reproduce this situation in any of my tests. I even tried to change the Apple ID of my wife by using the recommended way (I tried to change her Apple ID from jane.doe@gmail.com
to janed.oe@gmail.com
), but I only received an email with the 6-digits code. Nothing similar to the emails in Spanish sent to janedoe@gmail.com
.
Still waiting for an answer…
Written by Dorin Moise (Published articles: 277)
- Likes (0)
-
Share
- Comments (4)
Comments (4)
Do you think the three Gmail accounts can be subaccounts to someone’s iCloud account? Could it be a way to create several “identities” on three separate phones as the same person..?For example, with Apple, our iPhone is typically linked and verified by its Apple ID. Does that make sense?
Beth, I don’t see why that wouldn’t work
Праздники и дни рождения, которые мы переживаем, обычно не проходят без цветов. Они оставляют впечатляющие воспоминания о каждой дате. У каждого человека есть цветок, ему он отдаёт предпочтение из общего разнообразия. У нас в богатом цветочном ассортименте вы найдете цветы на любой вкус.
Если вы не уверены в точных предпочтениях того, кому приобретаете цветы, можете остановиться на красивых букетах. Наши букеты сделаны профессиональными флористами. Букет из алых роз, красивых орхидей, утонченных хризантем и других, удивляющих особой красотой цветов, будет отличным подарком, как даме, так и джентльмену. Если вы желаете доставить радость девушке, то купите к букетунапример мягкую игрушку. Такой сюрприз станет по душе каждой представительнице слабого пола.
Розы считаются самыми покупаемыми представителями флоры. Даря эти цветы, вы наверняка угодите каждому человеку. Эти красивые цветы излучают уникальный аромат, который сможет радовать продолжительное время. На нашем складе в наличии огромный выбор сортов роз различной длины и цветовой гаммы.
цветы спб
На вопросы касающиеся выбора букета или создания его по индивидуальному заказу ответят наши флористы.
Dorin, what was the final conclusion of this? I’m in the same boat this week, except not in Spanish.
I am betting now that someone has found an old plain text breach of my google account and is trying out the stolen password on other services… but in case it’s a simple mistake, I sms-messaged the verification phone# via email to ask if perhaps they are forgetting some piece of their gmail account name… I wonder if someone might spoof my phone# to receive the texted “2FA” security code.
Apple doesn’t have any other 2FA option for for non-Apple devices, just SMS. That’s… stupid. I signed up for Apple stuff when I had an iPhone, but it’s been years since that phone was recycled.