The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Mailchimp Fixes Flaw Found Leaking User Email Addresses

The service, which allows companies to send email newsletters, invitations and more, fixed an issue that could have leaked a user's email address.

Marketing automation platform MailChimp recently fixed a privacy issue that could have leaked users' email addresses.

The company, one of the more popular email marketing services, fixed the issue at some point over the last month or so. Terence Eden, a researcher who runs Open Standards for the UK Government Digital Service, found the issue, "an annoying privacy violation,” last December.

The flaw stems from the fact that when a user clicks through links in an email, the browser usually sends a referer header, an HTTP header field that contains the address of the webpage that linked to the resource being requested. In MailChimp's case, the link was going to the web version of a users' copy of the email they were on. If someone scrolled to the bottom, where the unsubscribe section usually is, they’d be able to see that user’s full email.

“If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner,” Eden wrote in a write up of the flaw published to his personal blog Thursday.

Eden responsibly disclosed the issue on December 4 and while the company was quick to say it would fix the flaw, it asked the researcher to delay his disclosure at the beginning of January. Eden waited two weeks and after he failed to hear back, published his blog post on Thursday. The post gained some traction on Twitter and elicited a response from the company, which not even three hours later, said it had implemented a fix.

It's unclear exactly how MailChimp fixed the issue. According to Eden - who cites recommendations published by the World Wide Web Consortium (W3C) - all the company could have done was made it so each link is explicitly set not to provider a referrer. The company could have also made it so the whole page is set not to leak referral data.

If exploited, the issue could have revealed what website a user was on, or as Eden demonstrated, a user's email, something that could go on to be used in spam or phishing campaigns.

Chris Brook


The Incident Responder's Field Guide

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.