by Tara Seals
January 18, 2018
MailChimp, the bulk email company responsible for sending millions of newsletters, promotional mail and other mass communiques every day, has been leaking respondents’ email addresses.
Security researcher Terence Eden found what he termed “an annoying privacy violation,” adding that the issue can expose personal information. The issue is this: When a respondent clicks a link in a MailChimp email, the browser opens the link and sends the newly visited webpage what is known as a “Referer Header” (the misspelling is intentional).
“This says, ‘Hello new site, I was referred here by this previous website,’” said Eden, in a blog. “This has some privacy implications – the administrator of a website can see which website you were on. Usually this is fairly benign, but it can leak sensitive information.”
As part of generating these Referer Headers, when users receive an email from a MailChip mailing list, it generates a unique link that points to the newsletter or other piece of mail that was sent out, he explained, which are collated in logs that can be accessed by the site administrator. The link goes to the web version of a specific user’s copy of the email, which means, at the bottom, there are links to change the email address as well as unsubscribe.
The unsubscribe link, when clicked, shows the user’s full email address.
It may sound relatively harmless, but the implication is that the site administrator has a copy of not only what the person may be interested in but also a list of valid emails – which is enough to craft spear phishing or watering hole attacks. Or nefarious sorts could simply brute-force the account and set about stealing information.
“If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner,” Eden said.
The issue is however limited in its impact to one’s security posture, and researchers pointed out the mass insecurity of email addresses in general.
“At the risk of angering the privacy gods, so what!” Chris Roberts, chief security architect at Acalvio, told Infosecurity. “Yes, it’s not good that it’s possible to reverse into the email address from a link. It never is. [However], Ancestry lost 300,000 email accounts. That’s 300,000 that I DON’T have to reverse into each and every one. I don’t have to play ‘hunt the unsubscribe link’. I just get a nice, big file of 300,000 of them dropped into my lap.”