Systems like Airbnb Need to Beware Gmail Features

System architects and designers can have a hard time figuring out what is actually needed and how to handle everything for complex systems like Airbnb, Twitter, Facebook, and many other systems that we use day to day.  They need to figure out what the requirements for the system are, what database to use, what data is stored, and many more things.  But as of right now, there are some large systems that are actually not handling a couple of Gmail features properly and it could cause a problem.  Those features are the . and the + that people can add to their email addresses.  Let's take a look at the issue and what could be done about it from a programmer point of view.

The first feature is that you can add a period (.) anywhere in the name part of your email address and all of these will go to your original email account.  This means that all of the following email addresses actually go to the same account.

Emails using the . feature

I like this feature and I do use a . in my normal email address and then use that same one on multiple platforms or where I work.  I also typically will add an alias to my email address for my work like steve.maier@ when I worked at Microsoft or teach at RIT.

The issue with this feature is that they are all the same account and depending on how the company coded email addresses in their system, each of the email addresses above look like a separate person.  Now, I have used this feature to my advantage when there was a contest that needed separate email accounts, but this could cause an issue if someone else happens to use one of the other ones.  You will be getting email that was meant for them.  This is exactly what is happening with me.  I have someone else that is using my email address without the . in the name.  Overall, it not a big deal but I did get emails about a project with the US government (not spam, I checked) and recently got the receipt for a confirmation for a reservation from Airbnb.

Systems like Airbnb will use the phone and app as their primary authentication method and ask for email as well but that was not authenticated by the user.  I was able to go into AirBnb's website and try to log into the account and it then told me that there was no password for the account and if I would like to create one, it would send me an email with a short-term link to reset the password.  Keep in mind, I would be setting a password on an AirBnb account that I do not own.  Since Gmail sends all emails to the same account, it appeared in my normal inbox.  It was sent to the one without the . but I was able to get the link to reset the password even though I do not own that account at all.  With access to their Airbnb account, I might be able to see their credit card, cancel reservation, remove credit cards on file, close the account, or even leave bad comments for places that I had "stayed".  

This is a problem with the design of the system not taking into consideration the fact that Gmail has this . feature.  But it is nearly impossible for anyone designing a system like this to know what features places like Gmail, Outlook, Yahoo, etc have available.  Most companies will have a database to keep their user data in and it might look something like this:

Sample database table

They assume that everyone has a separate email address.  According to that assumption all of the email addresses above should be different people. But the next feature causes the exact same type of issue as well.

The second awesome feature that Gmail provides is the ability to add a + to your email address and then add something to the right of the plus sign.  All of the email addresses below will go to the same email account as well.

Emails using the + feature

This feature is very useful for a few reasons.  First, if I am unsure if some website, contest, or person might sell my email address, I can add a + and some identifier and it will come to my normal account.  I have done this at conferences when I signed up to win something or if I might get a discount for giving them my email address.  I can then even show them that if they send an email to my email with a + in it, it will work.  I can also block that email address with the + and whatever extra I gave them if they sell it and all of a sudden, I am getting emails using that address about my car's warranty expiring.  

Another great use for this is for testing software.  When I worked at a great little startup in San Fransisco, Employee Channel, we used Gmail as the email system.  When we needed to do a lot of testing on the website we were making we could just then use our normal email addresses.  The email provided needed to be valid and we wanted to see if we were getting messages sent to it, but add a +user1, +user2, etc.  This way, I could make as many unique email addresses as possible, and they were all valid and I could see the results of anything sent to them.

The issue with this second feature also has the same problem as the first.  Someone could actually use the + feature with your normal Gmail address and then have that as a valid email address but just not to them.  Systems that do not check for this will think it's a separate person and everyone is happy.

As programmers, we all want to have a way to fix this.  One possible way is to convert the email address to one that would match any email that had the features used.  This could be that you remove the . and the + and everything after the plus.  You could also store the base Gmail address in the database as well so that you can check for matches for the normal email or the base one.  You could also just convert the email address that is saved to the database to the Gmail base address and this way if you convert one given to you it would match.  The list of what you could do to handle this for your business is endless.  

The following C# code shows a small RegEx (regular expression) that you can use to get the base of the email address to be able to store, compare or whatever you would like to do with it.  The comments above the regex variable describe what each part of the email address it matches and works with.

using System.Text.RegularExpressions;

// ((?:\.?[a-z0-9]){1,}) => matches and captures the name with . included
// (?:(?:\.?[\+a-z0-9])*) => matches everything after the +
// (?:@g(oogle)?mail\.com) => matches
string regex = @"((?:\.?[a-z0-9]){1,})(?:(?:\.?[\+a-z0-9])*)(?:@g(oogle)?mail\.com)";
string[] emails = {

foreach (var email in emails)
    string emailMatch = Regex.Match(email.ToLower(), regex).Groups[1].Value;
    string baseEmail = emailMatch.Replace(".", null);

    Console.WriteLine($"{email} -> {baseEmail}");
Sample C# code using RegEx
Sample output from C# code

Keep in mind that I said that the startup that I worked for used Gmail for it's email system, so each of these features would apply also to my company's email accounts.  This little snippet of code would need to be modified to handle other email domains as well to be able to handle all possibilities.  Some companies will feel that it is worth it, where others will not.  This is a business decision, and not for us lowly developers.

Overall, this is an issue that would be easy to overlook when you are making or designing a system.  We all know what email is and these features are not available on all email platforms.  It goes to show that designing and architecting systems can be a complex thing.  Many companies need to put effort into architecting systems and enhance their development practices to make sure that things like this can be covered.  New features on platforms including email platforms are being added every day.  I guess that will keep us employed for the foreseeable future.  I do love these features in Gmail and use them all the time, but the system architect in me looks are these types of issues and just shakes his head.

And if you do experience this happening to you as a user of a system, I will tell you from personal experience that customer support will not understand the problem.  To them, your normal account has not been compromised, your credit card has not been charged, everything is working.  And then they rudely hang up on you when you try to explain things.  Wait... that could be just what they did to me.