The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
Marketing automation platform MailChimp recently fixed a privacy issue that could have leaked users' email addresses.
The company, one of the more popular email marketing services, fixed the issue at some point over the last month or so. Terence Eden, a researcher who runs Open Standards for the UK Government Digital Service, found the issue, "an annoying privacy violation,” last December.
The flaw stems from the fact that when a user clicks through links in an email, the browser usually sends a referer header, an HTTP header field that contains the address of the webpage that linked to the resource being requested. In MailChimp's case, the link was going to the web version of a users' copy of the email they were on. If someone scrolled to the bottom, where the unsubscribe section usually is, they’d be able to see that user’s full email.
“If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner,” Eden wrote in a write up of the flaw published to his personal blog Thursday.
Eden responsibly disclosed the issue on December 4 and while the company was quick to say it would fix the flaw, it asked the researcher to delay his disclosure at the beginning of January. Eden waited two weeks and after he failed to hear back, published his blog post on Thursday. The post gained some traction on Twitter and elicited a response from the company, which not even three hours later, said it had implemented a fix.
The issue has been fixed. We’re sorry for the delay, and we’re reviewing how we handle reported issues.
— MailChimp (@MailChimp) January 18, 2018
It's unclear exactly how MailChimp fixed the issue. According to Eden - who cites recommendations published by the World Wide Web Consortium (W3C) - all the company could have done was made it so each link is explicitly set not to provider a referrer. The company could have also made it so the whole page is set not to leak referral data.
If exploited, the issue could have revealed what website a user was on, or as Eden demonstrated, a user's email, something that could go on to be used in spam or phishing campaigns.