MailChimp plugs a hole that could have leaked your email address

Graham Cluley

MailChimp plugs a hole that could have leaked your email address

MailChimp plugs a hole that could have leaked your email address

Security researcher Terence Eden found an interesting privacy issue last month in MailChimp, the market-leading email newsletter service that recently controversially decided double opt-in was somehow a bad thing.

Eden noticed in his website’s referral logs that he was receiving traffic from someone else’s newsletter sent through MailChimp.

Referer stats

That in itself seems harmless, but each “referer” (sic) header points back to a web-based edition of the newsletter, at a unique URL tied to the subscriber.

And at the end of each web-based newsletter there is an “Update email address” option.

Eden is a curious fellow, and so naturally he clicked on one of those links to see what secrets it might reveal.

Email update

Darnit! The email address is partially obscured. In some cases it might be enough for the curious website owner to determine who had visited his webpage, which could potentially be eyebrow-raising if the newsletter was salacious – but unlikely to be a huge concern in the case of visitors to Eden’s blog.

But don’t worry if you can’t determine the full email address. MailChimp has helpfully gone one step further in revealing email addresses if you just click on the option to “Unsubscribe.”

Unsubscribe email revealed

Whoops! And there is the whole email address. You now know exactly who came via someone else’s newsletter to your website.

The good news is that Eden responsibly disclosed the problem to MailChimp in December, and the issue was fixed last week. The even better news is that the privacy hole is certainly not one that could be easily exploited to hoover up millions of email addresses.

And, lets face it, if criminals wanted to gather a large number of email addresses there are enough multi-million record data breaches out there to keep them busy for some time.

All the same, there are lessons that companies can learn from MailChimp’s privacy blunder, as Eden explains:

It’s possible for a website to tell a browser not to send referrer information. There are two main ways to do this.

Each link can be explicitly set not to provide a referrer:

<a href="https://example.com/" rel="noreferrer">

Alternatively, the whole page can be set not to leak referral data:
<meta name="referrer" content="none">

Other newsletter services would be wise not to feel too smug about this. After all, they might be doing something similar.

Even if they aren’t revealing subscribers’ email addresses it might be possible for other mischief to occur through the leak of too much information through the referrer – such as unwanted unsubscribes.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES