Skip to main content

Mailchimp Fixes Flaw Found Leaking User Email Addresses

by Chris Brook on Friday January 19, 2018

Contact Us
Free Demo

The service, which allows companies to send email newsletters, invitations and more, fixed an issue that could have leaked a user's email address.

Marketing automation platform MailChimp recently fixed a privacy issue that could have leaked users' email addresses.

The company, one of the more popular email marketing services, fixed the issue at some point over the last month or so. Terence Eden, a researcher who runs Open Standards for the UK Government Digital Service, found the issue, "an annoying privacy violation,” last December.

The flaw stems from the fact that when a user clicks through links in an email, the browser usually sends a referer header, an HTTP header field that contains the address of the webpage that linked to the resource being requested. In MailChimp's case, the link was going to the web version of a users' copy of the email they were on. If someone scrolled to the bottom, where the unsubscribe section usually is, they’d be able to see that user’s full email.

“If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner,” Eden wrote in a write up of the flaw published to his personal blog Thursday.

Eden responsibly disclosed the issue on December 4 and while the company was quick to say it would fix the flaw, it asked the researcher to delay his disclosure at the beginning of January. Eden waited two weeks and after he failed to hear back, published his blog post on Thursday. The post gained some traction on Twitter and elicited a response from the company, which not even three hours later, said it had implemented a fix.

It's unclear exactly how MailChimp fixed the issue. According to Eden - who cites recommendations published by the World Wide Web Consortium (W3C) - all the company could have done was made it so each link is explicitly set not to provider a referrer. The company could have also made it so the whole page is set not to leak referral data.

If exploited, the issue could have revealed what website a user was on, or as Eden demonstrated, a user's email, something that could go on to be used in spam or phishing campaigns.

Tags:  Security News Privacy

Recommended Resources

The Definitive Guide to DLP

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives

The Definitive Guide to Data Classification

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business