An annoying privacy violation from leading email newsletter company MailChimp. Responsibly disclosed on 2017-12-04.
When you click a link on a webpage or an email, your browser opens up that link and sends the newly visited webpage a Referer Header. (The misspelling is a historical artefact.)
This says “Hello new site, I was referred here by this previous website.” This has some privacy implications – the administrator of a web site can see which website you were on. Usually this is fairly benign, but it can leak sensitive information, as I shall demonstrate.
On my website’s referral logs, I noticed these links:
They are caused by users receiving an email from a MailChip mailing list. You’ll notice each link is unique. If you visit the links, you can see the newsletter that was sent out.
That’s not much of a privacy issue, unless the title was particularly salacious, but the next part is a problem.
The link goes to the web version of a specific user’s copy of the email. Which means, at the bottom, there are links to change their email address.
What happens if you visit the update email address link?
Foiled! Unless it is a very specific email, you won’t be able to recover any information.
D*****.T****@w*********.gov might be revealing, for example.
But it’s when you visit the unsubscribe link at the bottom of the update email page that things go wrong:
The user’s full email address is visible.
(I’ve spoken with Dan and he graciously agreed to let me share a screenshot of his email. You should check out his website http://newlocalmedia.com/)
So, there you have it. If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner.
MailChimp can easily fix this. It’s possible for a website to tell a browser not to send referrer information. There are two main ways to do this.
Each link can be explicitly set not to provide a referrer:
<a href="https://example.com/" rel="noreferrer">
Alternatively, the whole page can be set not to leak referral data:
<meta name="referrer" content="none">
- Monday 4th December – I emailed whitehat (at) mailchimp.com as recommended by a MailChimp engineer. I informed them that I’d publish a month after notification.
- Tuesday 5th December – Confirmation from MailChimp that they would correct this flaw.
- Tuesday 3rd January – Asked for progress, due to the holidays they asked me to delay publication.
- Thursday 18th January – Published this post.
The issue has been fixed. We’re sorry for the delay, and we’re reviewing how we handle reported issues.
— Mailchimp (@Mailchimp) January 18, 2018