MailChimp has plugged a hole that could have exposed the email addresses of newsletter subscribers.
Blogger Terence Eden notified the company about the problem in December. Yesterday, MailChimp informed Eden: "The problem has been fixed. We’re sorry for the delay, and we’re reviewing how we handle reported issues."
Eden describes the problem as “an annoying privacy violation from leading email newsletter company MailChimp.”
He continues: “If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner.”
Checking his own website’s referral logs, Eden noticed links “caused by users receiving an email from a MailChimp mailing list.”
He notes that if you visit the unique links, “you can see the newsletter that was sent out.”
Eden continues: “That’s not much of a privacy issue unless the title was particularly salacious, but the next part is a problem.”
As writer David Bisson explains it, Eden then realized "that each link went to a user’s specific copy of the newsletter, meaning he could update the user’s email or unsubscribe them if he wished."
One possible result: "Technically, a malicious domain owner could exploit."
Eden’s article drew several responses, including this one:
"This is a fairly common oversight which many companies have made/are making. Good find as MailChimp is used by many large companies."