MailChimp, the bulk email company responsible for sending millions of newsletters, promotional mail and other mass communiques every day, has been leaking respondents’ email addresses.
Security researcher Terence Eden found what he termed “an annoying privacy violation,” adding that the issue can expose personal information. The issue is this: When a respondent clicks a link in a MailChimp email, the browser opens the link and sends the newly visited webpage what is known as a “Referer Header” (the misspelling is intentional).
“This says, ‘Hello new site, I was referred here by this previous website,’” said Eden, in a blog. “This has some privacy implications – the administrator of a website can see which website you were on. Usually this is fairly benign, but it can leak sensitive information.”
As part of generating these Referer Headers, when users receive an email from a MailChip mailing list, it generates a unique link that points to the newsletter or other piece of mail that was sent out, he explained, which are collated in logs that can be accessed by the site administrator. The link goes to the web version of a specific user's copy of the email, which means, at the bottom, there are links to change the email address as well as unsubscribe.
The unsubscribe link, when clicked, shows the user’s full email address.
It may sound relatively harmless, but the implication is that the site administrator has a copy of not only what the person may be interested in but also a list of valid emails – which is enough to craft spear phishing or watering hole attacks. Or nefarious sorts could simply brute-force the account and set about stealing information.
“If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner,” Eden said.
The issue is however limited in its impact to one's security posture, and researchers pointed out the mass insecurity of email addresses in general.
“At the risk of angering the privacy gods, so what!" Chris Roberts, chief security architect at Acalvio, told Infosecurity. "Yes, it’s not good that it’s possible to reverse into the email address from a link. It never is. [However], Ancestry [recently] lost 300,000 email accounts. That’s 300,000 that I DON’T have to reverse into each and every one. I don’t have to play 'hunt the unsubscribe link'. I just get a nice, big file of 300,000 of them dropped into my lap."
Joseph Carson, chief security scientist at Thycotic, had a similar take. "Given that in recent years more than 4.5 billion credentials and identities have been leaked as a result of several major data breaches, including high-profile data breaches such as Yahoo and Equifax, as well as security researchers finding almost 2 billion compromised passwords on the Dark Net for sale, it is very likely that your email address has already been leaked, or, worse, your previously used passwords," he said, via email.
This is, however, a good reminder to improve one's basic security habits.
"With spam and phishing emails at an all-time high, it is important to be cautious about suspicious emails that contain attachments or hyperlinks, as you could be just one click away from infecting your system with ransomware or unknowingly giving your password to a cybercriminal," Carson said.
Eden responsibly disclosed the issue, and MailChimp has fixed the flaw.