Security researcher Terence Eden found an interesting privacy issue last month in MailChimp, the market-leading email newsletter service that recently controversially decided double opt-in was somehow a bad thing.
Eden noticed in his website’s referral logs that he was receiving traffic from someone else’s newsletter sent through MailChimp.
That in itself seems harmless, but each “referer” (sic) header points back to a web-based edition of the newsletter, at a unique URL tied to the subscriber.
And at the end of each web-based newsletter there is an “Update email address” option.
Eden is a curious fellow, and so naturally he clicked on one of those links to see what secrets it might reveal.
Darnit! The email address is partially obscured. In some cases it might be enough for the curious website owner to determine who had visited his webpage, which could potentially be eyebrow-raising if the newsletter was salacious – but unlikely to be a huge concern in the case of visitors to Eden’s blog.
But don’t worry if you can’t determine the full email address. MailChimp has helpfully gone one step further in revealing email addresses if you just click on the option to “Unsubscribe.”
Whoops! And there is the whole email address. You now know exactly who came via someone else’s newsletter to your website.
The good news is that Eden responsibly disclosed the problem to MailChimp in December, and the issue was fixed last week. The even better news is that the privacy hole is certainly not one that could be easily exploited to hoover up millions of email addresses.
And, lets face it, if criminals wanted to gather a large number of email addresses there are enough multi-million record data breaches out there to keep them busy for some time.
All the same, there are lessons that companies can learn from MailChimp’s privacy blunder, as Eden explains:
It’s possible for a website to tell a browser not to send referrer information. There are two main ways to do this.
Each link can be explicitly set not to provide a referrer:
<a href="https://example.com/" rel="noreferrer">
Alternatively, the whole page can be set not to leak referral data:
<meta name="referrer" content="none">
Other newsletter services would be wise not to feel too smug about this. After all, they might be doing something similar.
Even if they aren’t revealing subscribers’ email addresses it might be possible for other mischief to occur through the leak of too much information through the referrer – such as unwanted unsubscribes.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.