So you make the mistake of adding tracking to every email you send out. Including sensitive ones.

I recently signed up to online learning platform Udacity. As part of registration, they want me to confirm my email address. Pretty normal behaviour.

Because I'm a paranoid fellow, I wanted to see where the big VERIFY EMAIL link went.

Ah! An insecure http link to their email tracking platform.

Never mind, thought I, there's a plain link underneath that one. Hmmm.... I wonder where that goes.

Oh, right. That's also insecurely tracked. To be clear, the text of the URl is https but the link it points to is http.

What's the problem?

Links to http sites are not secure. That means your visit to that URl can be seen by your ISP and anyone else between you and your destination. Your ISP can change the contents of that page and a malicious entity could - potentially - hijack your credentials.

In this case, all the links go via SendGrid. You have no protection if they get hacked, or decide to harvest your credentials.

How to solve it?

STOP TRACKING EVERY LINK IN YOUR EMAILS!

Or, if you really have to - make sure your tracking server supports https.

Disclosure timeline

There's no dedicated security contact for Udacity. I went through their regular contact page

• 2018-03-11 Asked to make responsible disclosure
• 2018-03-12 Udacity asked for more information. I sent details & screenshots.
• 2018-03-13 Report accepted and bug bounty issued.
• 2018-04-13 Publication.

Reward

Obviously, for a vulnerability of this magnitude, I was expecting a bug bounty of several million dollars. Nevertheless, I'm rather pleased with my free Udacity T-Shirt, sticker, pen, and notebook 😊