MailChimp leaks your email address


An annoying privacy violation from leading email newsletter company MailChimp. Responsibly disclosed on 2017-12-04.

When you click a link on a webpage or an email, your browser opens up that link and sends the newly visited webpage a Referer Header. (The misspelling is a historical artefact.)

This says "Hello new site, I was referred here by this previous website." This has some privacy implications - the administrator of a web site can see which website you were on. Usually this is fairly benign, but it can leak sensitive information, as I shall demonstrate.

On my website's referral logs, I noticed these links:

MailChimp Referral Logs

They are caused by users receiving an email from a MailChip mailing list. You'll notice each link is unique. If you visit the links, you can see the newsletter that was sent out.

HackerNews Newsletter

That's not much of a privacy issue, unless the title was particularly salacious, but the next part is a problem.

The link goes to the web version of a specific user's copy of the email. Which means, at the bottom, there are links to change their email address.

End of newsletter containing links

What happens if you visit the update email address link?

Change email address page with obscured email address

Foiled! Unless it is a very specific email, you won't be able to recover any information. D*****.T****@w*********.gov might be revealing, for example.

But it's when you visit the unsubscribe link at the bottom of the update email page that things go wrong:
Unsubscribe link showing full email address

The user's full email address is visible.

(I've spoken with Dan and he graciously agreed to let me share a screenshot of his email. You should check out his website http://newlocalmedia.com/)

So, there you have it. If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner.

A Fix

MailChimp can easily fix this. It's possible for a website to tell a browser not to send referrer information. There are two main ways to do this.

Each link can be explicitly set not to provide a referrer:
<a href="https://example.com/" rel="noreferrer">

Alternatively, the whole page can be set not to leak referral data:
<meta name="referrer" content="none">

Response timeline

  • Monday 4th December - I emailed whitehat (at) mailchimp.com as recommended by a MailChimp engineer. I informed them that I'd publish a month after notification.
  • Tuesday 5th December - Confirmation from MailChimp that they would correct this flaw.
  • Tuesday 3rd January - Asked for progress, due to the holidays they asked me to delay publication.
  • Thursday 18th January - Published this post.


Discussion around the web

5 thoughts on “MailChimp leaks your email address

  1. It gets worse, all the tracking in emails and the providers (not just Mailchimp) using alternative domain names. It makes it harder to be sure that the other domain names being used are legitimate. These days, I won't click on any links that cannot be easily verified in an email ... even if it is from a "trusted" sender. If there are specials in an email, those specials are usually found directly on the website. If it is a "special" special, i.e. one that needs the special link to redeem, then I usually forgo the offer unless it is too good to refuse (it usually is not too good to refuse and if it is too good to refuse, then it is more likely a phishing attempt). Specials usually come time and time again anyway, so those "marketing" emails that say about limited time offers, I'm quite happy to ignore them.

    Oh and I turned off javascript processing in Thunderbird too, so it helps make emails I receive more safe and doesn't send signals (via javascript) when I open emails -- and images.... I am selective as to which images are allowed to be shown.

  2. This is a fairly common oversight which many companies have made/are making. Good find as MailChimp is used by many large companies!

Leave a Reply to Marc Hedlund Cancel reply

Your email address will not be published. Required fields are marked *