Skip to main content

Mailchimp Fixes Flaw Found Leaking User Email Addresses

by Chris Brook on Friday January 19, 2018

Contact Us
Free Demo

The service, which allows companies to send email newsletters, invitations and more, fixed an issue that could have leaked a user's email address.

Marketing automation platform MailChimp recently fixed a privacy issue that could have leaked users' email addresses.

The company, one of the more popular email marketing services, fixed the issue at some point over the last month or so. Terence Eden, a researcher who runs Open Standards for the UK Government Digital Service, found the issue, "an annoying privacy violation,” last December.

The flaw stems from the fact that when a user clicks through links in an email, the browser usually sends a referer header, an HTTP header field that contains the address of the webpage that linked to the resource being requested. In MailChimp's case, the link was going to the web version of a users' copy of the email they were on. If someone scrolled to the bottom, where the unsubscribe section usually is, they’d be able to see that user’s full email.

“If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner,” Eden wrote in a write up of the flaw published to his personal blog Thursday.

Eden responsibly disclosed the issue on December 4 and while the company was quick to say it would fix the flaw, it asked the researcher to delay his disclosure at the beginning of January. Eden waited two weeks and after he failed to hear back, published his blog post on Thursday. The post gained some traction on Twitter and elicited a response from the company, which not even three hours later, said it had implemented a fix.

It's unclear exactly how MailChimp fixed the issue. According to Eden - who cites recommendations published by the World Wide Web Consortium (W3C) - all the company could have done was made it so each link is explicitly set not to provider a referrer. The company could have also made it so the whole page is set not to leak referral data.

If exploited, the issue could have revealed what website a user was on, or as Eden demonstrated, a user's email, something that could go on to be used in spam or phishing campaigns.

Tags:  Security News Privacy

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.