MailChimp plugs a hole that could have leaked your email address

Privacy hole couldn’t be easily exploited to hoover up millions of email addresses.

Graham Cluley
Graham Cluley
@[email protected]

MailChimp plugs a hole that could have leaked your email address

Security researcher Terence Eden found an interesting privacy issue last month in MailChimp, the market-leading email newsletter service that recently controversially decided double opt-in was somehow a bad thing.

Eden noticed in his website’s referral logs that he was receiving traffic from someone else’s newsletter sent through MailChimp.

Referer stats

Sign up to our free newsletter.
Security news, advice, and tips.

That in itself seems harmless, but each “referer” (sic) header points back to a web-based edition of the newsletter, at a unique URL tied to the subscriber.

And at the end of each web-based newsletter there is an “Update email address” option.

Eden is a curious fellow, and so naturally he clicked on one of those links to see what secrets it might reveal.

Email update

Darnit! The email address is partially obscured. In some cases it might be enough for the curious website owner to determine who had visited his webpage, which could potentially be eyebrow-raising if the newsletter was salacious – but unlikely to be a huge concern in the case of visitors to Eden’s blog.

But don’t worry if you can’t determine the full email address. MailChimp has helpfully gone one step further in revealing email addresses if you just click on the option to “Unsubscribe.”

Unsubscribe email revealed

Whoops! And there is the whole email address. You now know exactly who came via someone else’s newsletter to your website.

The good news is that Eden responsibly disclosed the problem to MailChimp in December, and the issue was fixed last week. The even better news is that the privacy hole is certainly not one that could be easily exploited to hoover up millions of email addresses.

And, lets face it, if criminals wanted to gather a large number of email addresses there are enough multi-million record data breaches out there to keep them busy for some time.

All the same, there are lessons that companies can learn from MailChimp’s privacy blunder, as Eden explains:

It’s possible for a website to tell a browser not to send referrer information. There are two main ways to do this.

Each link can be explicitly set not to provide a referrer:

<a href="" rel="noreferrer">

Alternatively, the whole page can be set not to leak referral data:
<meta name="referrer" content="none">

Other newsletter services would be wise not to feel too smug about this. After all, they might be doing something similar.

Even if they aren’t revealing subscribers’ email addresses it might be possible for other mischief to occur through the leak of too much information through the referrer – such as unwanted unsubscribes.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.