Creation of infinite amount of accounts with only one email adress

Bug description: When choosing the email you can simply add “+placeholder” before the @ and it works as a diferent email

Expected Behavior: it detects it as the same email

Current Behavior: it does not detect it

Steps to reproduce: go to the email signup then, when choosing an email that is already registered, for example “”, simply put “” (placeholder can be anything) and you can create an account (you will also receive the confirmation email as gmail ignores anything after the +)

Bug appears at this link:

Browser/OS/Device: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36

Replit Profile:

1 Like

I dont know if this is intentional but maybe it isnt

I cant really make a screen recording as my pc is bad but i will try to explain it better:

You can have an account with the email “” and another account with “” using only one email (

Why should the +2 or whatever be allowed?

You can’t add it to your email address?

that’s in gmail, you dont need to create a new account or anything… just umm use the +2 in the replit signup

Also, I tend to use dotted versions of my email to further identify the source of my emails.

I also use it for that purpuse thats how i randomly stumbled upon it


Wait how does theses ‘dotted versions’ do anything? How does it help you to ‘further identify the source of your emails’?

Well with +2 they are comments which don’t show up (IIRC) but dotted version let me know “oh thats my alt!” when looking at the To filed.

Anything after the + is ignored so you can do like +randomWebsiteHere for a specific website

Captura de ecrã 2023-11-04 022025
Captura de ecrã 2023-11-04 022039
Example in replit:

So um… do other websites have the same problem as this?

  1. Okay, now I think I got it ↩︎

Some block it (or just wipe anything after the + using regex) some dont

Does this also work with dots in the emails?

Because if so, a regular email like could be

It should, as that is standard.

It’s not ignored per se, if you check the To line in emails that use a +ed email, it’s still in the field.


well dotted emails is part of a gmail feature IIRC, and the plus sign along with the banana<email@example.tld> would probably work as well.

By varying the +2 or the location of the period when you sign up for a site you can determine which website sold/leaked your email/info.

For example, I know that any emails without a period in it are most likely spam since I only ever use a period in my name. Of course, this increases the amount of spam but it also means that I get emails that might otherwise never get to me.

who took and how is it already in use ?!?!?!?