Bookmark: "MailChimp leaks your email address"

Sebastian Greger


Summarizing this classic oversight by a major newsletter service provider, as responsibly disclosed by Terence Eden:

  1. The referrer (or: referer, as it is falsely spelled in the HTTP protocol) string of a browser coming from a newsletter contains the ID of the subscriber
  2. Website admin can open the “Manage subscription” page using the ID, but is only presented the obfuscated email address (still able to change the subscription, so this is problematic in itself)
  3. Clicking on “Unsubscribe” leads to a screen that now contains the unobfuscated email address

Hence, until Mailchimp fixed this vulnerability a good month later, the consequence was:

If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner.

What can we learn from this?

  • Whenever publishing anything on the web, always make a privacy impact assessment of sending any form of referrer URL (and, when in doubt, do not send a referer header)
  • Even if a user ID is known to an outsider, they should not be able to modify a user’s data or to determine who is the person behind that pseudonym

These are really two very basic safety steps when designing for privacy. Yet, as the example shows, even big companies whose business is chiefly built upon dealing with personal data sometimes miss these two crucial checks.

I'm Sebastian, Sociologist and Interaction Designer. This journal is mostly about bringing toge­ther social science and design for inclusive, privacy-focused, and sustainable "human-first" digital strategies. I also tend to a "digital garden" with carefully curated resources.

My occasionally sent email newsletter has all of the above, and there is of course also an RSS feed or my Mastodon/Fediverse profile.