Skip to content ↓ | Skip to navigation ↓

MailChimp has plugged a privacy issue that leaked users’ email addresses when they responded to websites’ newsletter campaigns.

Self-proclaimed mobile enthusiast Terence Eden discovered what he calls an “annoying privacy violation” while viewing the referral logs for his website. Those logs help document “Referer Headers” (misspelling intended), optional header fields which specify the address of the previous web page from which a link to the current web page was followed. They are essentially what a web browser sends to a newly opened site when a user clicks on a link such as those found on a Facebook business page or in a marketing email.

Here’s Eden on Referer Headers:

This says “Hello new site, I was referred here by this previous website.” This has some privacy implications – the administrator of a web site can see which website you were on. Usually this is fairly benign, but it can leak sensitive information, as I shall demonstrate.

In his logs, the mobile enthusiast discovered several links from marketing automation platform MailChimp. He clicked on them and discovered each one was unique in that it directed him to the exact newsletter sent out. It’s then he realized that each link went to a user’s specific copy of the newsletter, meaning he could update the user’s email or unsubscribe them if he wished.

What Eden discovered at the bottom of a referer link page. (Source: Thomas Eden)

His curiosity piqued, Eden clicked on the “update your email” link at the bottom of the page. Doing so revealed a version of the email that had been sensitized with asterisks. He then tried the “unsubscribe” link instead. That action revealed the respondent’s email address in full.

What’s the implication of an issue such as this?

Technically, a malicious domain owner could exploit the weakness to harvest emails from unsubscribe links. They could then craft phishing messages and/or spam campaigns and then send them out to the collected email addresses. Alternatively, they could attempt to brute force their way into the users’ leaked email accounts.

Joseph Carson, chief security scientist at Thycotic, recognizes that threat. As he told Infosecurity Magazine, however, many users’ emails have already been leaked online as a result of data breaches and other security incidents:

Given that in recent years more than 4.5 billion credentials and identities have been leaked as a result of several major data breaches, including high-profile data breaches such as Yahoo and Equifax, as well as security researchers finding almost 2 billion compromised passwords on the Dark Net for sale, it is very likely that your email address has already been leaked, or, worse, your previously used passwords. With spam and phishing emails at an all-time high, it is important to be cautious about suspicious emails that contain attachments or hyperlinks, as you could be just one click away from infecting your system with ransomware or unknowingly giving your password to a cybercriminal.

Eden responsibly disclosed the issue to MailChimp on 4 December 2017 and received word the next day that the marketing automation platform intended to fix the flaw. MailChimp confirmed in a tweet on 18 January that it had fixed the bug:

That same day, Eden went live with his publication of the issue.