Creation of infinite amount of accounts with only one email adress

Bug description: When choosing the email you can simply add “+placeholder” before the @ and it works as a diferent email

Expected Behavior: it detects it as the same email

Current Behavior: it does not detect it

Steps to reproduce: go to the email signup then, when choosing an email that is already registered, for example “example@gmail.com”, simply put “example+placeholder@gmail.com” (placeholder can be anything) and you can create an account (you will also receive the confirmation email as gmail ignores anything after the +)

Bug appears at this link: https://replit.com/signup

Browser/OS/Device: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36

Replit Profile: https://replit.com/@ShyMike

1 Like

I dont know if this is intentional but maybe it isnt

I cant really make a screen recording as my pc is bad but i will try to explain it better:

You can have an account with the email “example+1@gmail.com” and another account with “example+2@gmail.com” using only one email (example@gmail.com)

Why should the +2 or whatever be allowed?


You can’t add it to your email address?

that’s in gmail, you dont need to create a new account or anything… just umm use the +2 in the replit signup

Also, I tend to use dotted versions of my email to further identify the source of my emails.

I also use it for that purpuse thats how i randomly stumbled upon it

2 Likes

Wait how does theses ‘dotted versions’ do anything? How does it help you to ‘further identify the source of your emails’?

Well with +2 they are comments which don’t show up (IIRC) but dotted version let me know “oh thats my alt!” when looking at the To filed.

Anything after the + is ignored so you can do like +randomWebsiteHere for a specific website

Captura de ecrã 2023-11-04 022025
Captura de ecrã 2023-11-04 022039
Example in replit:

So um… do other websites have the same problem as this?
[1]


  1. Okay, now I think I got it ↩︎

Some block it (or just wipe anything after the + using regex) some dont

Does this also work with dots in the emails?

Because if so, a regular email like example@gmail.com could be e.x.a.m.p.l.e+replit@gmail.com

It should, as that is standard.

It’s not ignored per se, if you check the To line in emails that use a +ed email, it’s still in the field.

2 Likes

well dotted emails is part of a gmail feature IIRC, and the plus sign along with the banana<email@example.tld> would probably work as well.

By varying the +2 or the location of the period when you sign up for a site you can determine which website sold/leaked your email/info.

For example, I know that any emails without a period in it are most likely spam since I only ever use a period in my name. Of course, this increases the amount of spam but it also means that I get emails that might otherwise never get to me.

who took example@gmail.com and how is it already in use ?!?!?!?