An annoying privacy violation from leading email newsletter company MailChimp. Responsibly disclosed on 2017-12-04.
When you click a link on a webpage or an email, your browser opens up that link and sends the newly visited webpage a Referer Header. (The misspelling is a historical artefact.)
This says "Hello new site, I was referred here by this previous website." This has some privacy implications - the administrator of a web site can see which website you were on. Usually this is fairly benign, but it can leak sensitive information, as I shall demonstrate.
On my website's referral logs, I noticed these links:
They are caused by users receiving an email from a MailChip mailing list. You'll notice each link is unique. If you visit the links, you can see the newsletter that was sent out.
That's not much of a privacy issue, unless the title was particularly salacious, but the next part is a problem.
The link goes to the web version of a specific user's copy of the email. Which means, at the bottom, there are links to change their email address.
What happens if you visit the update email address link?
Foiled! Unless it is a very specific email, you won't be able to recover any information.
D*****.T****@w*********.gov might be revealing, for example.
But it's when you visit the unsubscribe link at the bottom of the update email page that things go wrong:
The user's full email address is visible.
(I've spoken with Dan and he graciously agreed to let me share a screenshot of his email. You should check out his website http://newlocalmedia.com/)
So, there you have it. If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner.
MailChimp can easily fix this. It's possible for a website to tell a browser not to send referrer information. There are two main ways to do this.
Each link can be explicitly set not to provide a referrer:
<a href="https://example.com/" rel="noreferrer">
Alternatively, the whole page can be set not to leak referral data:
<meta name="referrer" content="none">
- Monday 4th December - I emailed whitehat (at) mailchimp.com as recommended by a MailChimp engineer. I informed them that I'd publish a month after notification.
- Tuesday 5th December - Confirmation from MailChimp that they would correct this flaw.
- Tuesday 3rd January - Asked for progress, due to the holidays they asked me to delay publication.
- Thursday 18th January - Published this post.
The issue has been fixed. We’re sorry for the delay, and we’re reviewing how we handle reported issues.
— Mailchimp (@Mailchimp) January 18, 2018
8 thoughts on “MailChimp leaks your email address”
Andrew McGlashan says:
It gets worse, all the tracking in emails and the providers (not just Mailchimp) using alternative domain names. It makes it harder to be sure that the other domain names being used are legitimate. These days, I won't click on any links that cannot be easily verified in an email ... even if it is from a "trusted" sender. If there are specials in an email, those specials are usually found directly on the website. If it is a "special" special, i.e. one that needs the special link to redeem, then I usually forgo the offer unless it is too good to refuse (it usually is not too good to refuse and if it is too good to refuse, then it is more likely a phishing attempt). Specials usually come time and time again anyway, so those "marketing" emails that say about limited time offers, I'm quite happy to ignore them.
Jessica Rose says:
Marc Hedlund says:
Thanks so much for letting us know about this and for the follow-up.
Pingback from MailChimp Fixes Privacy Issue that Leaked Respondents' Email Addresses:
[…] mobile enthusiast Terence Eden discovered what he calls an “annoying privacy violation” while viewing the referral logs for his […]
This is a fairly common oversight which many companies have made/are making. Good find as MailChimp is used by many large companies!
Pingback from MailChimp plugs a hole that could have leaked your email address:
[…] researcher Terence Eden found an interesting privacy issue last month in MailChimp, the market-leading email newsletter service that recently controversially […]
“If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner,” Eden wrote in a write up of the flaw published to his personal blog Thursday.
I think mail chimp is still doing it. A couple months ago I subscribed to a newsletter, which uses links to articles as you show above. I started getting junk emails, lots of junk emails, really junky junk emails. Unsubscribed from the newsletter last week.
Yesterday, I learned that this newsletter is sent out using Mail Chimp. Searched and came upon your excellent detective work. I had taken a screenshot when I unsubscribed, examined it, and the address was not the website I was unsubscribing from, but rather africauniteds.com (sorry no apparent way to upload a picture)
Junk emails continue without respite.